[
https://issues.apache.org/jira/browse/CONTINUUM-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14526591#comment-14526591
]
Brent N Atkinson commented on CONTINUUM-2763:
---------------------------------------------
This was more difficult than anticipated due to the fact that the JSP used
extremecomponents tags and they do not appear to support HTML escaping. While
the long term solution is migrating away from using extremecomponents, I was
able to achieve this by implementing a custom cell renderer.
> Build result page does not escape commit messages for HTML
> ----------------------------------------------------------
>
> Key: CONTINUUM-2763
> URL: https://issues.apache.org/jira/browse/CONTINUUM-2763
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.4.2
> Reporter: Brent N Atkinson
> Fix For: 1.5.0
>
> Attachments: CONTINUUM-2763.png
>
>
> This was discovered when encountering CONTINUUM-2762 on continuum-ci.a.o. One
> of the commit messages contained an HTML input tag, which was apparent when
> visiting the page since focus was forced to it. Messages should be escaped
> for safe display to a web browser to prevent this.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
