Use global MarkupFormatter for changelog summary

Author: strangelookingnerd

pom.xml

@@ -225,10 +225,6 @@
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>script-security</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>antisamy-markup-formatter</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>jackson2-api</artifactId>
@@ -244,6 +240,11 @@
             <artifactId>junit</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>antisamy-markup-formatter</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.assertj</groupId>
             <artifactId>assertj-core</artifactId>

src/main/java/org/jenkinsci/plugins/gitchangelog/perform/GitChangelogSummaryDecorator.java

@@ -1,17 +1,15 @@
 package org.jenkinsci.plugins.gitchangelog.perform;
 
-import hudson.markup.MarkupFormatter;
-import hudson.markup.RawHtmlMarkupFormatter;
 import hudson.model.Action;
 import java.io.IOException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
 
 @ExportedBean(defaultVisibility = 2)
 public class GitChangelogSummaryDecorator implements Action {
-  private static final MarkupFormatter sanitizer = new RawHtmlMarkupFormatter(true);
   private static Logger LOG = Logger.getLogger(GitChangelogSummaryDecorator.class.getSimpleName());
 
   private final String text;
@@ -33,7 +31,7 @@ public String getIconFileName() {
   @Exported
   public String getText() {
     try {
-      return sanitizer.translate(this.text);
+      return Jenkins.get().getMarkupFormatter().translate(this.text);
     } catch (IOException e) {
       LOG.log(Level.SEVERE, e.getMessage(), e);
       return "";

src/test/java/org/jenkinsci/plugins/gitchangelog/DummyTest.java

@@ -0,0 +1,43 @@
+package org.jenkinsci.plugins.gitchangelog.perform;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.markup.MarkupFormatter;
+import hudson.markup.RawHtmlMarkupFormatter;
+import java.io.IOException;
+import java.io.Writer;
+import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
+
+@WithJenkins
+class GitChangelogSummaryDecoratorTest {
+
+  @Test
+  void text(@SuppressWarnings("unused") JenkinsRule r) {
+    // save text
+    GitChangelogSummaryDecorator saveText = new GitChangelogSummaryDecorator("Save text");
+    assertEquals("Save text", saveText.getText());
+
+    // dangerous text with global formatter
+    GitChangelogSummaryDecorator dangerousText =
+        new GitChangelogSummaryDecorator("<script>alert('PWND!')</script>");
+    assertEquals("&lt;script&gt;alert(&#039;PWND!&#039;)&lt;/script&gt;", dangerousText.getText());
+
+    // dangerous text with OWASP formatter
+    r.jenkins.setMarkupFormatter(RawHtmlMarkupFormatter.INSTANCE);
+    assertEquals("", dangerousText.getText());
+
+    // save text with broken formatter
+    MarkupFormatter formatter =
+        new MarkupFormatter() {
+          @Override
+          public void translate(String markup, @NonNull Writer output) throws IOException {
+            throw new IOException("Oh no!");
+          }
+        };
+    r.jenkins.setMarkupFormatter(formatter);
+    assertEquals("", saveText.getText());
+  }
+}