From f2b00865b06407f81616ecff94fa0c406596be6c Mon Sep 17 00:00:00 2001
From: Sara Seppola <sara@vaadin.com>
Date: Tue, 7 Oct 2014 16:09:02 +0300
Subject: [PATCH] Ticket summaries are now html-encoded (#14579)

Change-Id: Ia6a4342f6488da27310afe14421ef5af68e436bc
---
 .../FetchReleaseNotesTickets.java             | 55 +++++++++++++++++--
 1 file changed, 49 insertions(+), 6 deletions(-)

diff --git a/buildhelpers/src/com/vaadin/buildhelpers/FetchReleaseNotesTickets.java b/buildhelpers/src/com/vaadin/buildhelpers/FetchReleaseNotesTickets.java
index 497d8c0ff1..64ab86b84e 100644
--- a/buildhelpers/src/com/vaadin/buildhelpers/FetchReleaseNotesTickets.java
+++ b/buildhelpers/src/com/vaadin/buildhelpers/FetchReleaseNotesTickets.java
@@ -99,12 +99,9 @@ public class FetchReleaseNotesTickets {
                 continue;
             }
             String summary = fields[1];
-            if (summary.startsWith("\"") && summary.endsWith("\"")) {
-                // If a summary starts with " and ends with " then all quotes in
-                // the summary are encoded as double quotes
-                summary = summary.substring(1, summary.length() - 1);
-                summary = summary.replace("\"\"", "\"");
-            }
+
+            summary = modifySummaryString(summary);
+
             String badge = "<td></td>";
             if (fields.length >= 8 && !fields[7].equals("")) {
                 badge = "<td class=\"bfp\"><span class=\"bfp\">Priority</span></td>";
@@ -119,6 +116,52 @@ public class FetchReleaseNotesTickets {
         urlStream.close();
     }
 
+    private static String modifySummaryString(String summary) {
+
+        if (summary.startsWith("\"") && summary.endsWith("\"")) {
+            // If a summary starts with " and ends with " then all quotes in
+            // the summary are encoded as double quotes
+            summary = summary.substring(1, summary.length() - 1);
+            summary = summary.replace("\"\"", "\"");
+        }
+
+        // this is needed for escaping html
+        summary = escapeHtml(summary);
+
+        return summary;
+    }
+
+    /**
+     * @since
+     * @param string
+     *            the string to be html-escaped
+     * @return string in html-escape format
+     */
+    private static String escapeHtml(String string) {
+
+        StringBuffer buf = new StringBuffer(string.length() * 2);
+
+        // we check the string character by character and escape only special
+        // characters
+        for (int i = 0; i < string.length(); ++i) {
+
+            char ch = string.charAt(i);
+            String charString = ch + "";
+
+            if ((charString).matches("[a-zA-Z0-9., ]")) {
+                // character is letter, digit, dot, comma or whitespace
+                buf.append(ch);
+            } else {
+                int charInt = ch;
+                buf.append("&");
+                buf.append("#");
+                buf.append(charInt);
+                buf.append(";");
+            }
+        }
+        return buf.toString();
+    }
+
     private static void usage() {
         System.err.println("Usage: "
                 + FetchReleaseNotesTickets.class.getSimpleName()
-- 
2.39.5