diff --git a/pom.xml b/pom.xml
index c7ec4986..3d2a5abd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,11 +58,6 @@
sshd
-
- org.jenkins-ci.plugins
- antisamy-markup-formatter
-
-
org.jenkins-ci.plugins
git-server
@@ -90,6 +85,12 @@
test
+
+ org.jenkins-ci.plugins
+ antisamy-markup-formatter
+ test
+
+
org.jenkins-ci.plugins
matrix-auth
diff --git a/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java b/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java
index 02e92e7e..7166561d 100644
--- a/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java
+++ b/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java
@@ -28,7 +28,6 @@
import hudson.ExtensionList;
import hudson.Util;
import hudson.markup.MarkupFormatter;
-import hudson.markup.RawHtmlMarkupFormatter;
import hudson.model.*;
import hudson.security.AccessControlled;
import hudson.security.Permission;
@@ -77,8 +76,6 @@ public class ScriptlerManagement extends ManagementLink implements RootAction {
private static final String CAN_BYPASS_APPROVAL = "canByPassScriptApproval";
private static final String SCRIPT = "script";
- private static final MarkupFormatter INSTANCE = RawHtmlMarkupFormatter.INSTANCE;
-
// used in Jelly view
public Permission getScriptlerRunScripts() {
return ScriptlerPermissions.RUN_SCRIPTS;
@@ -154,7 +151,7 @@ public ScriptlerConfiguration getConfiguration() {
}
public MarkupFormatter getMarkupFormatter() {
- return INSTANCE;
+ return Jenkins.get().getMarkupFormatter();
}
/**
diff --git a/src/test/java/org/jenkinsci/plugins/scriptler/ScriptlerManagementTest.java b/src/test/java/org/jenkinsci/plugins/scriptler/ScriptlerManagementTest.java
new file mode 100644
index 00000000..10ba6aab
--- /dev/null
+++ b/src/test/java/org/jenkinsci/plugins/scriptler/ScriptlerManagementTest.java
@@ -0,0 +1,46 @@
+package org.jenkinsci.plugins.scriptler;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.markup.MarkupFormatter;
+import hudson.markup.RawHtmlMarkupFormatter;
+import java.io.IOException;
+import java.io.Writer;
+import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
+
+@WithJenkins
+class ScriptlerManagementTest {
+
+ @Test
+ void markupFormatter(@SuppressWarnings("unused") JenkinsRule r) throws IOException {
+ ScriptlerManagement management = new ScriptlerManagement();
+
+ // save text
+ String text = management.getMarkupFormatter().translate("Save text");
+ assertEquals("Save text", text);
+
+ // dangerous text with global formatter
+ text = management.getMarkupFormatter().translate("");
+ assertEquals("<script>alert('PWND!')</script>", text);
+
+ // dangerous text with OWASP formatter
+ r.jenkins.setMarkupFormatter(RawHtmlMarkupFormatter.INSTANCE);
+ text = management.getMarkupFormatter().translate("");
+ assertEquals("", text);
+
+ // save text with broken formatter
+ MarkupFormatter formatter = new MarkupFormatter() {
+ @Override
+ public void translate(String markup, @NonNull Writer output) throws IOException {
+ throw new IOException("Oh no!");
+ }
+ };
+ r.jenkins.setMarkupFormatter(formatter);
+ assertThrows(
+ IOException.class, () -> management.getMarkupFormatter().translate(""));
+ }
+}