Use global MarkupFormatter in ScriptlerManagement

Author: strangelookingnerd

pom.xml

@@ -58,11 +58,6 @@
       <artifactId>sshd</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.jenkins-ci.plugins</groupId>
-      <artifactId>antisamy-markup-formatter</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>git-server</artifactId>
@@ -90,6 +85,12 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>antisamy-markup-formatter</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>matrix-auth</artifactId>

src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java

@@ -28,7 +28,6 @@
 import hudson.ExtensionList;
 import hudson.Util;
 import hudson.markup.MarkupFormatter;
-import hudson.markup.RawHtmlMarkupFormatter;
 import hudson.model.*;
 import hudson.security.AccessControlled;
 import hudson.security.Permission;
@@ -77,8 +76,6 @@ public class ScriptlerManagement extends ManagementLink implements RootAction {
     private static final String CAN_BYPASS_APPROVAL = "canByPassScriptApproval";
     private static final String SCRIPT = "script";
 
-    private static final MarkupFormatter INSTANCE = RawHtmlMarkupFormatter.INSTANCE;
-
     // used in Jelly view
     public Permission getScriptlerRunScripts() {
         return ScriptlerPermissions.RUN_SCRIPTS;
@@ -154,7 +151,7 @@ public ScriptlerConfiguration getConfiguration() {
     }
 
     public MarkupFormatter getMarkupFormatter() {
-        return INSTANCE;
+        return Jenkins.get().getMarkupFormatter();
     }
 
     /**

src/test/java/org/jenkinsci/plugins/scriptler/ScriptlerManagementTest.java

@@ -0,0 +1,46 @@
+package org.jenkinsci.plugins.scriptler;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.markup.MarkupFormatter;
+import hudson.markup.RawHtmlMarkupFormatter;
+import java.io.IOException;
+import java.io.Writer;
+import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
+
+@WithJenkins
+class ScriptlerManagementTest {
+
+    @Test
+    void markupFormatter(@SuppressWarnings("unused") JenkinsRule r) throws IOException {
+        ScriptlerManagement management = new ScriptlerManagement();
+
+        // save text
+        String text = management.getMarkupFormatter().translate("Save text");
+        assertEquals("Save text", text);
+
+        // dangerous text with global formatter
+        text = management.getMarkupFormatter().translate("<script>alert('PWND!')</script>");
+        assertEquals("&lt;script&gt;alert(&#039;PWND!&#039;)&lt;/script&gt;", text);
+
+        // dangerous text with OWASP formatter
+        r.jenkins.setMarkupFormatter(RawHtmlMarkupFormatter.INSTANCE);
+        text = management.getMarkupFormatter().translate("<script>alert('PWND!')</script>");
+        assertEquals("", text);
+
+        // save text with broken formatter
+        MarkupFormatter formatter = new MarkupFormatter() {
+            @Override
+            public void translate(String markup, @NonNull Writer output) throws IOException {
+                throw new IOException("Oh no!");
+            }
+        };
+        r.jenkins.setMarkupFormatter(formatter);
+        assertThrows(
+                IOException.class, () -> management.getMarkupFormatter().translate("<script>alert('PWND!')</script>"));
+    }
+}