[SECURITY-3280] Address XSS by removing some inline Jelly in JS (#951)

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
jenkinsci · May 3, 2024 · 2162064 · 2162064
1 parent 3f172f2
commit 2162064
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/...in/resources/com/smartcodeltd/jenkinsci/plugins/buildmonitor/BuildMonitorView/index.jelly b/...in/resources/com/smartcodeltd/jenkinsci/plugins/buildmonitor/BuildMonitorView/index.jelly
@@ -88,6 +88,7 @@
         <body class="build-monitor dashboard industrial"
               data-ng-app="buildMonitor"
               data-ng-controller="JobViews"
+              data-display-name="${it.displayName}"
               data-ng-class="{ 'colour-blind-mode': settings.colourBlind == 1, 'reduce-motion-mode': settings.reduceMotion == 1 }">
 
             <header>
@@ -198,7 +199,7 @@
                         proxyProvider.configureProxiesUsing(window.bindings);
 
                         cookieJarProvider.describe({
-                            label:     'buildMonitor.' + hashCodeOf('${it.displayName}'),
+                            label:     'buildMonitor.' + hashCodeOf(document.body.dataset.displayName),
                             shelfLife: 365
                         });
                     });