Fix XXE and XSS vulnerabilities

pom.xml

@@ -10,7 +10,7 @@
     <version>0.29-SNAPSHOT</version>
     <packaging>hpi</packaging>
     <name>Jenkins Valgrind Plug-in</name>
-    <url>http://wiki.jenkins-ci.org/display/JENKINS/Valgrind+Plugin</url>
+    <url>https://wiki.jenkins-ci.org/display/JENKINS/Valgrind+Plugin</url>
 
     <licenses>
         <license>
@@ -37,14 +37,14 @@
     <repositories>
         <repository>
             <id>repo.jenkins-ci.org</id>
-            <url>http://repo.jenkins-ci.org/public/</url>
+            <url>https://repo.jenkins-ci.org/public/</url>
         </repository>
     </repositories>
 
     <pluginRepositories>
         <pluginRepository>
             <id>repo.jenkins-ci.org</id>
-            <url>http://repo.jenkins-ci.org/public/</url>
+            <url>https://repo.jenkins-ci.org/public/</url>
         </pluginRepository>
     </pluginRepositories>
 
@@ -62,6 +62,11 @@
             <scope>test</scope>
         </dependency>
 
+	<dependency>
+		<groupId>org.apache.commons</groupId>
+		<artifactId>commons-text</artifactId>
+		<version>1.3</version>
+	</dependency>
         <dependency>
             <groupId>org.easymock</groupId>
             <artifactId>easymock</artifactId>

src/main/java/org/jenkinsci/plugins/valgrind/ValgrindResult.java

@@ -85,7 +85,7 @@ public String getSummary() throws IOException, InterruptedException
 
 	/**
 	 *
-	 * @param link expected to be in format "id=<executable name>,<unique error id>"
+	 * @param link expected to be in format "id=&lt;executable name&gt;,&lt;unique error id&gt;"
 	 * @param request
 	 * @param response
 	 * @return valgrind detail(s)

src/main/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParser.java

@@ -8,6 +8,8 @@
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
+import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;
+
 import org.jenkinsci.plugins.valgrind.model.ValgrindAuxiliary;
 import org.jenkinsci.plugins.valgrind.model.ValgrindError;
 import org.jenkinsci.plugins.valgrind.model.ValgrindErrorKind;
@@ -329,7 +331,7 @@ public void characters(char ch[], int start, int length) throws SAXException
 			if ( data == null )
 				return;
 
-			data.append(new String(ch,start,length));
+			data.append(escapeHtml4(new String(ch,start,length)));
 		}
 
 		public ValgrindReport getReport()
@@ -342,6 +344,9 @@ public ValgrindReport parse( final File file ) throws ParserConfigurationExcepti
 	{
 		SAXParserFactory factory = SAXParserFactory.newInstance();
 		factory.setNamespaceAware(true);
+		factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 		SAXParser saxParser = factory.newSAXParser();
 
 		Handler handler = new Handler();

src/test/java/org/jenkinsci/plugins/valgrind/parser/ValgrindSaxParserTest.java

@@ -175,7 +175,7 @@ public void suppression() throws ParserConfigurationException, SAXException, IOE
 
 		final String expectedSuppression =
         "{\n" +
-		"   <insert_a_suppression_name_here>\n" +
+		"   insert_a_suppression_name_here\n" +
 		"   Memcheck:Addr1\n" +
 		"   fun:memcpy@@GLIBC_2.14\n" +
 		"   fun:access_already_freed_memory_memcpy\n" +

src/test/resources/org/jenkinsci/plugins/valgrind/parser/aux-data.xml

@@ -87,7 +87,7 @@
     <rawtext>
 <![CDATA[
 {
-   <insert_a_suppression_name_here>
+   insert_a_suppression_name_here
    Memcheck:Addr1
    fun:memcpy@@GLIBC_2.14
    fun:access_already_freed_memory_memcpy