Fix newView link to use context-relative URL instead of rootURL

sahilleth · sahilleth · commit c5d401de3be6 · 2026-02-28T12:28:08.000+05:30
Fixes JENKINS-51291 / #22743 When Jenkins is behind a reverse proxy (e.g. nginx), the Jenkins Root URL may be configured to the internal server URL for agent connectivity. The 'New View' link in the view tab bar was using rootURL, causing it to navigate to the internal URL instead of the proxy URL. Use request.contextPath + owner.url instead of rootURL so the link resolves relative to the current origin (proxy URL), while still correctly targeting the owning ViewGroup's newView action for both root, folders, and My Views. This also fixes SECURITY-1471 by removing rootURL from the link, preventing javascript: injection via Root URL. Made-with: Cursor
diff --git a/core/src/main/resources/hudson/views/DefaultMyViewsTabBar/myViewTabs.jelly b/core/src/main/resources/hudson/views/DefaultMyViewsTabBar/myViewTabs.jelly
@@ -30,7 +30,7 @@ THE SOFTWARE.
       <l:tab name="${v.displayName}" active="${v==currentView}" href="${rootURL}/${v.url}" />
     </j:forEach>
     <j:if test="${currentView.hasPermission(currentView.CREATE)}">
-      <l:tabNewItem href="${rootURL}/${currentView.owner.url}newView" title="${%New View}" />
+      <l:tabNewItem href="${request.contextPath}/${currentView.owner.url}newView" title="${%New View}" />
     </j:if>
   </l:tabBar>
 </j:jelly>
diff --git a/core/src/main/resources/hudson/views/DefaultViewsTabBar/viewTabs.jelly b/core/src/main/resources/hudson/views/DefaultViewsTabBar/viewTabs.jelly
@@ -41,7 +41,7 @@ THE SOFTWARE.
         </j:forEach>
 
         <j:if test="${currentView.hasPermission(currentView.CREATE)}">
-          <a href="${rootURL}/${currentView.owner.url}newView" tooltip="${%New View}" class="jenkins-button jenkins-button--tertiary">
+          <a href="${request.contextPath}/${currentView.owner.url}newView" tooltip="${%New View}" class="jenkins-button jenkins-button--tertiary">
             <l:icon src="symbol-add" />
           </a>
         </j:if>
@@ -53,7 +53,7 @@ THE SOFTWARE.
           <l:tab name="${v.displayName}" active="${v==currentView}" href="${rootURL}/${v.url}" />
         </j:forEach>
         <j:if test="${currentView.hasPermission(currentView.CREATE)}">
-          <l:tabNewItem href="${rootURL}/${currentView.owner.url}newView" title="${%New View}" />
+          <l:tabNewItem href="${request.contextPath}/${currentView.owner.url}newView" title="${%New View}" />
         </j:if>
       </l:tabBar>
     </j:otherwise>
