1807: Escape HTML in source code hosting provider's web UI as required

Reviewed-by: erikj

Author: zhaosongzs

bots/censussync/build.gradle

@@ -44,6 +44,9 @@ dependencies {
     implementation project(':storage')
     implementation project(':xml')
     implementation project(':metrics')
+    implementation project(':bots:common')
+    implementation project(':jbs')
+    implementation project(':jcheck')
 
     testImplementation project(':test')
 }

bots/censussync/src/main/java/module-info.java

@@ -31,6 +31,9 @@
     requires java.logging;
     requires java.xml;
     requires java.net.http;
+    requires org.openjdk.skara.jcheck;
+    requires org.openjdk.skara.jbs;
+    requires org.openjdk.skara.bots.common;
 
     provides org.openjdk.skara.bot.BotFactory with org.openjdk.skara.bots.censussync.CensusSyncBotFactory;
 }

bots/censussync/src/main/java/org/openjdk/skara/bots/censussync/CensusSyncSplitBot.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 package org.openjdk.skara.bots.censussync;
 
 import org.openjdk.skara.bot.*;
+import org.openjdk.skara.bots.common.BotUtils;
 import org.openjdk.skara.forge.HostedRepository;
 import org.openjdk.skara.network.RestRequest;
 import org.openjdk.skara.vcs.*;
@@ -77,10 +78,6 @@ private static PrintWriter newPrintWriter(Path p) throws IOException {
         return new PrintWriter(Files.newBufferedWriter(p));
     }
 
-    private static String escape(String s) {
-        return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;");
-    }
-
     private static List<Path> syncVersion(Element census, Path to) throws IOException {
         var date = ZonedDateTime.parse(XML.attribute(census, "time"));
         var timestamp = date.toInstant();
@@ -133,7 +130,7 @@ private static List<Path> syncGroups(Element census, Path to) throws IOException
             var filename = dir.resolve(name + ".xml");
             try (var file = newPrintWriter(filename)) {
                 file.format("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>%n");
-                file.format("<group name=\"%s\" full-name=\"%s\">%n", name, escape(fullName));
+                file.format("<group name=\"%s\" full-name=\"%s\">%n", name, BotUtils.escape(fullName));
                 file.format("    <lead username=\"%s\" />%n", lead);
                 for (var member : members) {
                     file.format("    <member username=\"%s\" />%n", member);
@@ -191,7 +188,7 @@ private static List<Path> syncProjects(Element census, Path to) throws IOExcepti
             var filename = dir.resolve(name + ".xml");
             try (var file = newPrintWriter(filename)) {
                 file.format("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>%n");
-                file.format("<project name=\"%s\" full-name=\"%s\" sponsor=\"%s\">%n", name, escape(fullName), sponsor);
+                file.format("<project name=\"%s\" full-name=\"%s\" sponsor=\"%s\">%n", name, BotUtils.escape(fullName), sponsor);
                 file.format("    <lead username=\"%s\" since=\"0\" />%n", lead);
 
                 for (var reviewer : reviewers) {

bots/censussync/src/main/java/org/openjdk/skara/bots/censussync/CensusSyncUnifyBot.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 package org.openjdk.skara.bots.censussync;
 
 import org.openjdk.skara.bot.*;
+import org.openjdk.skara.bots.common.BotUtils;
 import org.openjdk.skara.census.Census;
 import org.openjdk.skara.forge.*;
 import org.openjdk.skara.vcs.*;
@@ -49,10 +50,6 @@ public class CensusSyncUnifyBot implements Bot, WorkItem {
         this.last = null;
     }
 
-    private static String escape(String s) {
-        return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;");
-    }
-
     @Override
     public boolean concurrentWith(WorkItem other) {
         if (!(other instanceof CensusSyncUnifyBot)) {
@@ -102,7 +99,7 @@ public Collection<WorkItem> run(Path scratch) {
                 }
                 for (var group : census.groups()) {
                     file.println("<group name=\"" + group.name() + "\">");
-                    file.println("  <full-name>" + escape(group.fullName()) + "</full-name>");
+                    file.println("  <full-name>" + BotUtils.escape(group.fullName()) + "</full-name>");
                     file.println("  <person ref=\"" + group.lead().username() + "\" role=\"lead\" />");
                     for (var member : group.members()) {
                         if (!member.username().equals(group.lead().username())) {
@@ -113,7 +110,7 @@ public Collection<WorkItem> run(Path scratch) {
                 }
                 for (var project : census.projects()) {
                     file.println("<project name=\"" + project.name() + "\">");
-                    file.println("  <full-name>" + escape(project.fullName()) + "</full-name>");
+                    file.println("  <full-name>" + BotUtils.escape(project.fullName()) + "</full-name>");
                     file.println("  <sponsor ref=\"" + project.sponsor().name() + "\" />");
 
                     var roles = project.roles(version);

bots/common/src/main/java/org/openjdk/skara/bots/common/BotUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,4 +53,8 @@ public static Optional<JdkVersion> getVersion(PullRequest pr) {
         }
         return JdkVersion.parse(version);
     }
+
+    public static String escape(String s) {
+        return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;");
+    }
 }

bots/pr/src/main/java/org/openjdk/skara/bots/pr/CheckRun.java

@@ -665,7 +665,7 @@ private String getStatusMessage(PullRequestCheckIssueVisitor visitor,
                             progressBody.append("](");
                             progressBody.append(iss.get().webUrl());
                             progressBody.append("): ");
-                            progressBody.append(iss.get().title());
+                            progressBody.append(BotUtils.escape(iss.get().title()));
                             var issueType = iss.get().properties().get("issuetype");
                             if (issueType != null && "CSR".equals(issueType.asString())) {
                                 progressBody.append(" (**CSR**)");