[SECURITY-1489]

src/main/resources/hudson/plugins/view/dashboard/builds/LatestBuilds/latestbuilds.jelly

@@ -15,7 +15,7 @@
         </td>
         <td data="${it.getBuildColumnSortData(build)}">
           <a href="${h.getRelativeLinkTo(build.parent)}/${build.number}"
-            tooltip="${build.description}">
+            tooltip="${empty(build.description) ? null : app.markupFormatter.translate(build.description)}">
             <l:icon alt="${build.iconColor.description}"
               class="${build.buildStatusIconClassName} icon-sm"/>${build.displayName}
           </a>

src/test/java/hudson/plugins/view/dashboard/builds/LatestBuildsTest.java

@@ -1,45 +1,74 @@
 package hudson.plugins.view.dashboard.builds;
 
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.Assert.assertThat;
+
+import com.gargoylesoftware.htmlunit.html.HtmlAnchor;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
 import hudson.model.Job;
-import hudson.model.Run;
+import hudson.plugins.view.dashboard.Dashboard;
 import java.util.Collections;
 import java.util.List;
-import java.util.concurrent.Callable;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
 import org.junit.Test;
-import org.junit.Rule;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.RunLoadCounter;
 
 public class LatestBuildsTest {
 
-    @Rule
-    public JenkinsRule j = new JenkinsRule();
+  @ClassRule public static JenkinsRule j = new JenkinsRule();
 
-    @Test
-    public void testAvoidEagerLoading() throws Exception {
-        final FreeStyleProject p = j.createFreeStyleProject();
-        RunLoadCounter.prepare(p);
-        for (int i = 0; i < 5; i++) {
-            j.assertBuildStatusSuccess(p.scheduleBuild2(0));
-        }
+  static FreeStyleProject p;
 
-        int numbuilds = 3;
-        final LatestBuilds latest = new LatestBuilds("-", numbuilds) {
+  @BeforeClass
+  public static void prepareBuilds() throws Exception {
+    p = j.createFreeStyleProject();
+    for (int i = 0; i < 5; i++) {
+      j.assertBuildStatusSuccess(p.scheduleBuild2(0));
+    }
+  }
 
-            @Override
-            protected List<Job> getDashboardJobs() {
-                return Collections.singletonList((Job) p);
-            }
+  @Test
+  public void testAvoidEagerLoading() throws Exception {
+    RunLoadCounter.prepare(p);
 
-        };
+    int numbuilds = 3;
+    final LatestBuilds latest =
+        new LatestBuilds("-", numbuilds) {
 
-        RunLoadCounter.assertMaxLoads(p, numbuilds, new Callable<List<Run>>() {
+          @Override
+          protected List<Job> getDashboardJobs() {
+            return Collections.singletonList((Job) p);
+          }
+        };
 
-            public List<Run> call() throws Exception {
-                return latest.getFinishedBuilds();
-            }
-        });
-    }
+    RunLoadCounter.assertMaxLoads(p, numbuilds, () -> latest.getFinishedBuilds());
+  }
 
-}
+  @Test
+  @Issue("SECURITY-1489")
+  public void testTooltipIsEscaped() throws Exception {
+    FreeStyleBuild lastBuild = p.getLastBuild();
+    lastBuild.setDescription("<i/onmouseover=confirm(1)>test");
+    Dashboard dashboard = new Dashboard("foo");
+    dashboard.setIncludeRegex(".*");
+    dashboard.getLeftPortlets().add(new LatestBuilds("foo", 10));
+    j.jenkins.addView(dashboard);
+    HtmlPage page = j.createWebClient().goTo("view/foo/");
+    HtmlAnchor link =
+        page.getAnchors().stream()
+            .filter(a -> a.getHrefAttribute().endsWith("/" + lastBuild.number))
+            .findAny()
+            .orElseThrow(IllegalStateException::new);
+    String tooltip = link.getAttribute("tooltip");
+    // The default formatter just escapes all HTML
+    assertThat(tooltip, not(containsString("<")));
+    assertThat(tooltip, startsWith("&lt;"));
+  }
+}