ahuston-0/hydra
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

build: Properly escape all input values

Browse Source
This commit is contained in:
Janne Heß
2025-08-02 16:26:26 +02:00
committed by ahuston-0
parent 0764b1f48c
commit bb78a58ea2
1 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/root/build.tt
View File

@@ -37,7 +37,7 @@ END;
seen.${step.drvpath} = 1; seen.${step.drvpath} = 1;
log = c.uri_for('/build' build.id 'nixlog' step.stepnr); %] log = c.uri_for('/build' build.id 'nixlog' step.stepnr); %]
<tr> <tr>
<td>[% step.stepnr %]</td> <td>[% HTML.escape(step.stepnr) %]</td>
<td> <td>
[% IF step.type == 0 %] [% IF step.type == 0 %]
Build of <tt>[% INCLUDE renderOutputs outputs=step.buildstepoutputs %]</tt> Build of <tt>[% INCLUDE renderOutputs outputs=step.buildstepoutputs %]</tt>
@@ -151,7 +151,7 @@ END;
<table class="info-table"> <table class="info-table">
<tr> <tr>
<th>Build ID:</th> <th>Build ID:</th>
<td>[% build.id %]</td> <td>[% HTML.escape(build.id) %]</td>
</tr> </tr>
<tr> <tr>
<th>Status:</th> <th>Status:</th>
@@ -168,9 +168,9 @@ END;
END; END;
%]; %];
[%+ IF nrFinished == nrConstituents && nrFailedConstituents == 0 %] [%+ IF nrFinished == nrConstituents && nrFailedConstituents == 0 %]
all [% nrConstituents %] constituent builds succeeded all [% HTML.escape(nrConstituents) %] constituent builds succeeded
[% ELSE %] [% ELSE %]
[% nrFailedConstituents %] out of [% nrConstituents %] constituent builds failed [% HTML.escape(nrFailedConstituents) %] out of [% HTML.escape(nrConstituents) %] constituent builds failed
[% IF nrFinished < nrConstituents %] [% IF nrFinished < nrConstituents %]
([% nrConstituents - nrFinished %] still pending) ([% nrConstituents - nrFinished %] still pending)
[% END %] [% END %]
@@ -180,24 +180,24 @@ END;
</tr> </tr>
<tr> <tr>
<th>System:</th> <th>System:</th>
<td><tt>[% build.system %]</tt></td> <td><tt>[% build.system | html %]</tt></td>
</tr> </tr>
[% IF build.releasename %] [% IF build.releasename %]
<tr> <tr>
<th>Release name:</th> <th>Release name:</th>
<td><tt>[% HTML.escape(build.releasename) %]</tt></td> <td><tt>[% build.releasename | html %]</tt></td>
</tr> </tr>
[% ELSE %] [% ELSE %]
<tr> <tr>
<th>Nix name:</th> <th>Nix name:</th>
<td><tt>[% build.nixname %]</tt></td> <td><tt>[% build.nixname | html %]</tt></td>
</tr> </tr>
[% END %] [% END %]
[% IF eval %] [% IF eval %]
<tr> <tr>
<th>Part of:</th> <th>Part of:</th>
<td> <td>
<a href="[% c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %]">evaluation [% eval.id %]</a> <a href="[% c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %]">evaluation [% HTML.escape(eval.id) %]</a>
[% IF nrEvals > 1 +%] (and <a href="[% c.uri_for('/build' build.id 'evals') %]">[% nrEvals - 1 %] others</a>)[% END %] [% IF nrEvals > 1 +%] (and <a href="[% c.uri_for('/build' build.id 'evals') %]">[% nrEvals - 1 %] others</a>)[% END %]
</td> </td>
</tr> </tr>
@@ -336,12 +336,12 @@ END;
[% IF eval.nixexprinput %] [% IF eval.nixexprinput %]
<tr> <tr>
<th>Nix expression:</th> <th>Nix expression:</th>
<td>file <tt>[% HTML.escape(eval.nixexprpath) %]</tt> in input <tt>[% HTML.escape(eval.nixexprinput) %]</tt></td> <td>file <tt>[% eval.nixexprpath | html %]</tt> in input <tt>[% eval.nixexprinput | html %]</tt></td>
</tr> </tr>
[% END %] [% END %]
<tr> <tr>
<th>Nix name:</th> <th>Nix name:</th>
<td><tt>[% build.nixname %]</tt></td> <td><tt>[% build.nixname | html %]</tt></td>
</tr> </tr>
<tr> <tr>
<th>Short description:</th> <th>Short description:</th>
@@ -361,11 +361,11 @@ END;
</tr> </tr>
<tr> <tr>
<th>System:</th> <th>System:</th>
<td><tt>[% build.system %]</tt></td> <td><tt>[% build.system | html %]</tt></td>
</tr> </tr>
<tr> <tr>
<th>Derivation store path:</th> <th>Derivation store path:</th>
<td><tt>[% build.drvpath %]</tt></td> <td><tt>[% build.drvpath | html %]</tt></td>
</tr> </tr>
<tr> <tr>
<th>Output store paths:</th> <th>Output store paths:</th>
@@ -412,9 +412,9 @@ END;
<tbody> <tbody>
[% FOREACH metric IN build.buildmetrics %] [% FOREACH metric IN build.buildmetrics %]
<tr> <tr>
<td><tt><a class="row-link" [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]">[%HTML.escape(metric.name)%]</a></tt></td> <td><tt><a class="row-link" [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]">[%metric.name | html%]</a></tt></td>
<td style="text-align: right">[%metric.value%]</td> <td style="text-align: right">[%HTML.escape(metric.value)%]</td>
<td>[%metric.unit%]</td> <td>[% HTML.escape(metric.unit) %]</td>
</tr> </tr>
[% END %] [% END %]
</tbody> </tbody>
@@ -456,8 +456,8 @@ END;
[% FOREACH input IN build.dependents %] [% FOREACH input IN build.dependents %]
<tr> <tr>
<td>[% INCLUDE renderFullBuildLink build=input.build %]</td> <td>[% INCLUDE renderFullBuildLink build=input.build %]</td>
<td><tt>[% input.name %]</tt></td> <td><tt>[% input.name | html %]</tt></td>
<td><tt>[% input.build.system %]</tt></td> <td><tt>[% input.build.system | html %]</tt></td>
<td>[% INCLUDE renderDateTime timestamp = input.build.timestamp %]</td> <td>[% INCLUDE renderDateTime timestamp = input.build.timestamp %]</td>
</tr> </tr>
[% END %] [% END %]
@@ -484,7 +484,7 @@ END;
[% ELSIF runcommandlogProblem == "disabled-jobset" %] [% ELSIF runcommandlogProblem == "disabled-jobset" %]
This jobset does not enable Dynamic RunCommand support. This jobset does not enable Dynamic RunCommand support.
[% ELSE %] [% ELSE %]
Dynamic RunCommand is not enabled: [% runcommandlogProblem %]. Dynamic RunCommand is not enabled: [% HTML.escape(runcommandlogProblem) %].
[% END %] [% END %]
</div> </div>
[% END %] [% END %]