show parameters of a run with readOnlyMode (#10941)

Author: krisstern

core/src/main/resources/hudson/model/BooleanParameterValue/value.jelly

@@ -28,6 +28,7 @@ THE SOFTWARE.
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
     <j:set var="escapeEntryTitleAndDescription" value="false"/>
     <f:entry description="${it.formattedDescription}">
-        <f:checkbox title="${h.escape(it.name)}" name="value" checked="${it.value}" readonly="true" />
+      <j:set var="readOnlyMode" value="true"/>
+      <f:checkbox title="${h.escape(it.name)}" name="value" checked="${it.value}"/>
     </f:entry>
 </j:jelly>

core/src/main/resources/hudson/model/ParametersAction/index.jelly

@@ -35,6 +35,7 @@ THE SOFTWARE.
     <l:main-panel>
 	  <t:buildCaption it="${build}">${title}</t:buildCaption>
       <j:set var="escapeEntryTitleAndDescription" value="true" /> <!-- SECURITY-353 defense unless overridden -->
+      <j:set var="readOnlyMode" value="true"/>
       <j:forEach var="parameterValue" items="${it.parameters}">
 	    <st:include it="${parameterValue}" page="value.jelly" />
       </j:forEach>

core/src/main/resources/hudson/model/StringParameterValue/value.jelly

@@ -24,10 +24,11 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
-	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
-	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
-        <j:set var="escapeEntryTitleAndDescription" value="false"/>
-        <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
-		<f:textbox name="value" value="${it.value}" readonly="true" />
-	</f:entry>
+         xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
+         xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
+  <j:set var="escapeEntryTitleAndDescription" value="false"/>
+  <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
+    <j:set var="readOnlyMode" value="true"/>
+    <f:textbox name="value" value="${it.value}"/>
+  </f:entry>
 </j:jelly>

core/src/main/resources/hudson/model/TextParameterValue/value.jelly

@@ -26,8 +26,9 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
-        <j:set var="escapeEntryTitleAndDescription" value="false"/>
-        <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
-		<f:textarea name="value" value="${it.value}" readonly="readonly" />
-	</f:entry>
+    <j:set var="escapeEntryTitleAndDescription" value="false"/>
+    <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
+      <j:set var="readOnlyMode" value="true"/>
+      <f:textarea name="value" value="${it.value}"/>
+    </f:entry>
 </j:jelly>

core/src/main/resources/lib/form/checkbox.jelly

@@ -83,9 +83,9 @@ THE SOFTWARE.
            name="${name}"
            value="${attrs.value}"
            title="${attrs.tooltip}"
-           onclick="${attrs.readonly=='true' ? 'return false;' : attrs.onclick}" id="${attrs.id}" class="${attrs.class} ${attrs.negative!=null ? 'negative' : null} ${attrs.checkUrl!=null?'validated':''}"
+           onclick="${attrs.readonly=='true' ? null : attrs.onclick}" id="${attrs.id}" class="${attrs.class} ${attrs.negative!=null ? 'negative' : null} ${attrs.checkUrl!=null?'validated':''}"
            checkUrl="${attrs.checkUrl}" checkDependsOn="${attrs.checkDependsOn}" json="${attrs.json}"
-           disabled="${readOnlyMode ? 'true' : null}"
+           disabled="${readOnlyMode or attrs.readonly=='true' ? 'true' : null}"
            checked="${value ? 'true' : null}"/>
     <label class="attach-previous ${attrs.title == null ? 'js-checkbox-label-empty' : ''}"
            title="${attrs.tooltip}">${attrs.title}</label>

core/src/main/resources/lib/form/radio.jelly

@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define">
- <st:documentation> <![CDATA[
+  <st:documentation> <![CDATA[
     <input type="radio"> tag that takes true/false for @checked, which is more Jelly friendly.
 
     Note that Safari doesn't support onchange.
@@ -38,7 +38,13 @@ THE SOFTWARE.
     <st:attribute name="checked" />
     <st:attribute name="value" />
     <st:attribute name="id" />
-    <st:attribute name="onclick" />
+    <st:attribute name="onclick" deprecated="true">
+      Inline JavaScript to execute when the checkbox is clicked.
+      Deprecated because this attribute is incompatible with adding Content-Security-Policy to the Jenkins UI in the future.
+      Set 'id' or 'class' attributes as appropriate to look up this element in external Javascript files (e.g. adjuncts)
+      to add the desired behavior there (DOMContentLoaded event in static forms, Behaviour.specify if this element may be
+      dynamically added). See https://github.com/jenkinsci/jenkins/pull/6852 for an example.
+    </st:attribute>
     <st:attribute name="title">
       If specified, this human readable text will follow the radio, and clicking this text also
       toggles the radio.

test/src/test/java/hudson/model/ParametersTest.java

@@ -267,7 +267,7 @@ void xss() throws Exception {
         assertAll(
                 () -> assertThat("parameters page should escape param name", text2, containsString("<param name>")),
                 () -> assertThat("parameters page should not leave param name unescaped", text2, not(containsString("<param name>"))),
-                () -> assertThat("parameters page should escape param value", text2, containsString("&lt;param value&gt;")),
+                () -> assertThat("parameters page should escape param value", text2, containsString("&lt;param value>")),
                 () -> assertThat("parameters page should not leave param value unescaped", text2, not(containsString("<param value>"))),
                 () -> assertThat("parameters page should mark up param description", text2, containsString("<b>[</b>param description<b>]</b>")),
                 () -> assertThat("parameters page should not leave param description unescaped", text2, not(containsString("<param description>")))