Console: Fix escaping of plugin description on /configclients (ticket #1711)

apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHelper.java

@@ -151,7 +151,7 @@ public class ConfigClientsHelper extends HelperBase {
                        //"webConsole".equals(ca.clientName) || "Web console".equals(ca.clientName),
                        false, RouterConsoleRunner.class.getName().equals(ca.className),
                        // description
-                       ca.className + ((ca.args != null) ? " " + ca.args : ""),
+                       DataHelper.escapeHTML(ca.className + ((ca.args != null) ? " " + ca.args : "")),
                        // edit
                        allowEdit && (""+cur).equals(_edit),
                        // show edit button, show update button
@@ -212,7 +212,7 @@ public class ConfigClientsHelper extends HelperBase {
                 boolean isRunning = WebAppStarter.isWebAppRunning(app);
                 renderForm(buf, app, app, !"addressbook".equals(app),
                            "true".equals(val), RouterConsoleRunner.ROUTERCONSOLE.equals(app),
-                           RouterConsoleRunner.ROUTERCONSOLE.equals(app), app + ".war",
+                           RouterConsoleRunner.ROUTERCONSOLE.equals(app), DataHelper.escapeHTML(app + ".war"),
                            false, false, false, isRunning, false, !isRunning);
             }
         }
@@ -316,14 +316,15 @@ public class ConfigClientsHelper extends HelperBase {
     /**
      *  Misnamed, renders a single line in a table for a single client/webapp/plugin.
      *
-     *  ro trumps edit and showEditButton
+     *  @param name will be escaped here
+     *  @param ro trumps edit and showEditButton
+     *  @param escapedDesc description, must be HTML escaped, except for plugins
      */
     private void renderForm(StringBuilder buf, String index, String name, boolean urlify,
-                            boolean enabled, boolean ro, boolean preventDisable, String desc, boolean edit,
+                            boolean enabled, boolean ro, boolean preventDisable, String escapedDesc, boolean edit,
                             boolean showEditButton, boolean showUpdateButton, boolean showStopButton,
                             boolean showDeleteButton, boolean showStartButton) {
         String escapedName = DataHelper.escapeHTML(name);
-        String escapedDesc = DataHelper.escapeHTML(desc);
         buf.append("<tr><td class=\"mediumtags\" align=\"right\" width=\"25%\">");
         if (urlify && enabled) {
             String link = "/";

history.txt

@@ -1,3 +1,6 @@
+2015-11-21 zzz
+  * Console: Fix escaping of plugin description on /configclients (ticket #1711)
+
 * 2015-11-19 0.9.23 released
 
 2015-11-19 str4d
@@ -9,7 +12,7 @@
  * Translation updates
 
 2015-11-13 zab
- * Interrupt() when cancelling scheduled tasks
+ * Interrupt() when cancelling scheduled tasks (tickets #1694, #1705)
 
 2015-11-13 zzz
  * Console: Fix lifetime participating bandwidth display (ticket #1706)

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 0;
+    public final static long BUILD = 1;
 
     /** for example "-test" */
     public final static String EXTRA = "";