[JENKINS-71726] [JENKINS-71727] remove inline javascript (#8313)

* [JENKINS-71727] remove inline javascript Also JENKINS-71726 * missing id * fix script tag Co-authored-by: Kevin Guerroudj <91883215+Kevin-CB@users.noreply.github.com> --------- Co-authored-by: Kevin Guerroudj <91883215+Kevin-CB@users.noreply.github.com> Co-authored-by: Mark Waite <mark.earl.waite@gmail.com>
2023-11-20 12:36:12 +01:00 · 2023-11-20 12:36:12 +01:00 · d9cbaa006a
parent 742e95d735
commit d9cbaa006a
4 changed files with 23 additions and 22 deletions
--- a/core/src/main/java/hudson/Util.java
+++ b/core/src/main/java/hudson/Util.java
@ -43,6 +43,7 @@ import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.PrintStream;
+import java.io.PrintWriter;
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.Writer;
@ -108,6 +109,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import jenkins.model.Jenkins;
 import jenkins.util.MemoryReductionUtil;
 import jenkins.util.SystemProperties;
 import jenkins.util.io.PathRemover;
@ -1856,6 +1858,20 @@ public class Util {
        return t;
    }

+    @Restricted(NoExternalUse.class)
+    public static void printRedirect(String contextPath, String redirectUrl, String message, PrintWriter out) {
+        out.printf(
+                "<html><head>" +
+                "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
+                "<script id='redirect' data-redirect-url='%1$s' src='" +
+                contextPath + Jenkins.RESOURCE_PATH +
+                "/scripts/redirect.js'></script>" +
+                "</head>" +
+                "<body style='background-color:white; color:white;'>%n" +
+                "%2$s%n" +
+                "<!--%n", Functions.htmlAttributeEscape(redirectUrl), message);
+    }
+
    public static final FastDateFormat XS_DATETIME_FORMATTER = FastDateFormat.getInstance("yyyy-MM-dd'T'HH:mm:ss'Z'", new SimpleTimeZone(0, "GMT"));

    // Note: RFC822 dates must not be localized!
--- a/core/src/main/java/hudson/model/Run.java
+++ b/core/src/main/java/hudson/model/Run.java
@ -2665,18 +2665,13 @@ public abstract class Run<JobT extends Job<JobT, RunT>, RunT extends Run<JobT, R


    public static class RedirectUp {
-        public void doDynamic(StaplerResponse rsp) throws IOException {
+        public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException {
            // Compromise to handle both browsers (auto-redirect) and programmatic access
            // (want accurate 404 response).. send 404 with javascript to redirect browsers.
            rsp.setStatus(HttpServletResponse.SC_NOT_FOUND);
            rsp.setContentType("text/html;charset=UTF-8");
            PrintWriter out = rsp.getWriter();
-            out.println("<html><head>" +
-                "<meta http-equiv='refresh' content='1;url=..'/>" +
-                "<script>window.location.replace('..');</script>" +
-                "</head>" +
-                "<body style='background-color:white; color:white;'>" +
-                "Not found</body></html>");
+            Util.printRedirect(req.getContextPath(), "..", "Not found", out);
            out.flush();
        }
    }
--- a/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
+++ b/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
@ -26,8 +26,8 @@ package hudson.security;

 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;

-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Functions;
+import hudson.Util;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
@ -105,7 +105,7 @@ public class HudsonAuthenticationEntryPoint implements AuthenticationEntryPoint
            } catch (IllegalStateException e) {
                out = rsp.getWriter();
            }
-            printResponse(loginForm, out);
+            Util.printRedirect(req.getContextPath(), loginForm, "Authentication required", out);

            if (cause != null)
                cause.report(out);
@ -120,17 +120,4 @@ public class HudsonAuthenticationEntryPoint implements AuthenticationEntryPoint
            out.close();
        }
    }
-
-    @SuppressFBWarnings(value = "XSS_SERVLET", justification = "Intermediate step for redirecting users to login page.")
-    private void printResponse(String loginForm, PrintWriter out) {
-        out.printf(
-            "<html><head>" +
-            "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
-            "<script>window.location.replace('%1$s');</script>" +
-            "</head>" +
-            "<body style='background-color:white; color:white;'>%n" +
-            "%n%n" +
-            "Authentication required%n" +
-            "<!--%n", loginForm);
-    }
 }
--- a/war/src/main/webapp/scripts/redirect.js
+++ b/war/src/main/webapp/scripts/redirect.js
@ -0,0 +1,3 @@
+let scriptTag = document.getElementById("redirect");
+let redirectUrl = scriptTag.dataset.redirectUrl;
+window.location.replace(redirectUrl);