Make custom URL safe

app/src/main/java/org/jboss/hal/client/runtime/configurationchanges/ConfigurationChangeDisplay.java

@@ -25,7 +25,6 @@
 import org.jboss.hal.dmr.ResourceAddress;
 import org.jboss.hal.resources.Ids;
 import org.jboss.hal.resources.Resources;
-
 import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.safehtml.shared.SafeHtmlBuilder;
 import com.google.gwt.safehtml.shared.SafeHtmlUtils;
@@ -109,8 +108,9 @@ public SafeHtml getDescriptionHtml() {
                 boolean allowedProperties = !(prop.getName().equals(OPERATION) || prop.getName()
                         .equals(ADDRESS) || prop.getName().equals(OPERATION_HEADERS));
                 if (allowedProperties) {
+                    String safeValue = SafeHtmlUtils.htmlEscape(prop.getValue().asString());
                     html.append(SafeHtmlUtils.fromTrustedString(
-                            "&nbsp;&nbsp;&nbsp;&nbsp;" + prop.getName() + COLON + prop.getValue() + "<br/>"));
+                            "&nbsp;&nbsp;&nbsp;&nbsp;" + prop.getName() + COLON + safeValue + "<br/>"));
                 }
             });
         });

app/src/main/java/org/jboss/hal/client/runtime/subsystem/jaxrs/RestResourcePreview.java

@@ -43,7 +43,6 @@
 import org.jboss.hal.resources.Ids;
 import org.jboss.hal.resources.Names;
 import org.jboss.hal.resources.Resources;
-
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.gwt.user.client.rpc.AsyncCallback;
@@ -54,13 +53,12 @@
 import elemental2.dom.CSSProperties.MarginBottomUnionType;
 import elemental2.dom.HTMLElement;
 
-import static java.util.stream.Collectors.groupingBy;
-import static java.util.stream.Collectors.joining;
-import static java.util.stream.Collectors.toList;
-
 import static com.google.gwt.safehtml.shared.SafeHtmlUtils.fromSafeConstant;
 import static elemental2.dom.DomGlobal.document;
 import static elemental2.dom.DomGlobal.window;
+import static java.util.stream.Collectors.groupingBy;
+import static java.util.stream.Collectors.joining;
+import static java.util.stream.Collectors.toList;
 import static org.jboss.elemento.Elements.a;
 import static org.jboss.elemento.Elements.asHtmlElement;
 import static org.jboss.elemento.Elements.br;
@@ -262,7 +260,7 @@ public void onSuccess(ServerUrl url) {
                                     Elements.removeChildrenFrom(linkContainer);
                                     // noinspection UnstableApiUsage
                                     linkContainer.appendChild(a().css(clickable)
-                                            .on(click, e -> specifyParameters(url.getUrl(), link, Splitter.on(',')
+                                            .on(click, e -> specifyParameters(url.getUrl().asString(), link, Splitter.on(',')
                                                     .splitToList(linkContainer.dataset.get(LINK))))
                                             .textContent(link).element());
                                 }

app/src/main/java/org/jboss/hal/client/runtime/subsystem/undertow/DeploymentPreview.java

@@ -50,14 +50,12 @@
 import org.jboss.hal.resources.Ids;
 import org.jboss.hal.resources.Names;
 import org.jboss.hal.resources.Resources;
-
 import com.google.gwt.user.client.rpc.AsyncCallback;
 import com.gwtplatform.mvp.shared.proxy.PlaceRequest;
 
 import elemental2.dom.HTMLElement;
 
 import static java.util.stream.Collectors.toList;
-
 import static org.jboss.elemento.Elements.a;
 import static org.jboss.elemento.Elements.asHtmlElement;
 import static org.jboss.elemento.Elements.h;
@@ -278,7 +276,7 @@ public void onSuccess(ServerUrl url) {
                             for (HTMLElement linkContainer : linkContainers) {
                                 String link = linkContainer.textContent;
                                 Elements.removeChildrenFrom(linkContainer);
-                                linkContainer.appendChild(a(url.getUrl() + link)
+                                linkContainer.appendChild(a(url.getUrl().asString() + link)
                                         .apply(a -> a.target = Ids.hostServer(host, server))
                                         .textContent(link).element());
                             }

core/src/main/java/org/jboss/hal/core/runtime/server/ServerActions.java

@@ -26,7 +26,6 @@
 
 import javax.inject.Inject;
 import javax.inject.Provider;
-
 import org.jboss.elemento.Elements;
 import org.jboss.hal.ballroom.Alert;
 import org.jboss.hal.ballroom.dialog.BlockingDialog;
@@ -71,7 +70,6 @@
 import org.jboss.hal.spi.MessageEvent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
 import com.google.common.base.Strings;
 import com.google.gwt.safehtml.shared.SafeHtml;
 import com.google.gwt.user.client.rpc.AsyncCallback;
@@ -80,9 +78,8 @@
 import elemental2.dom.HTMLElement;
 import elemental2.promise.Promise;
 
-import static java.util.Collections.emptyList;
-
 import static elemental2.dom.DomGlobal.setTimeout;
+import static java.util.Collections.emptyList;
 import static org.jboss.elemento.Elements.a;
 import static org.jboss.elemento.Elements.p;
 import static org.jboss.elemento.Elements.span;
@@ -389,7 +386,7 @@ public void suspend(Server server) {
         }
 
         metadataProcessor.lookup(serverConfigTemplate(server), progress.get()).then(metadata -> {
-            String id = Ids.build(SUSPEND, server.getName(), Ids.FORM);
+            String id = Ids.build(SUSPEND, server.getName(), FORM);
             Form<ModelNode> form = new OperationFormBuilder<>(id, metadata, SUSPEND).build();
 
             Dialog dialog = DialogFactory.buildConfirmation(
@@ -457,7 +454,7 @@ public void resume(Server server) {
     public void stop(Server server) {
         metadataProcessor.lookup(serverConfigTemplate(server), progress.get())
                 .then(metadata -> {
-                    String id = Ids.build(STOP, server.getName(), Ids.FORM);
+                    String id = Ids.build(STOP, server.getName(), FORM);
                     Form<ModelNode> form = new OperationFormBuilder<>(id, metadata, STOP)
                             .include(SUSPEND_TIMEOUT)
                             .build();
@@ -604,9 +601,9 @@ public void onFailure(Throwable caught) {
             @Override
             public void onSuccess(ServerUrl url) {
                 Elements.removeChildrenFrom(element);
-                element.appendChild(a(url.getUrl())
+                element.appendChild(a(url.getUrl().asString())
                         .apply(a -> a.target = server.getId())
-                        .textContent(url.getUrl()).element());
+                        .innerHtml(url.getUrl()).element());
                 String icon;
                 String tooltip;
                 if (url.isCustom()) {
@@ -703,7 +700,7 @@ private void show(ServerUrl serverUrl) {
                 dialog.show();
                 form.edit(new ModelNode());
                 if (serverUrl != null) {
-                    urlItem.setValue(serverUrl.getUrl());
+                    urlItem.setValue(serverUrl.getUrl().asString());
                 }
             }
         });

core/src/main/java/org/jboss/hal/core/runtime/server/ServerUrl.java

@@ -15,6 +15,9 @@
  */
 package org.jboss.hal.core.runtime.server;
 
+import com.google.gwt.safehtml.shared.SafeHtml;
+import com.google.gwt.safehtml.shared.SafeHtmlUtils;
+
 public class ServerUrl {
 
     private final String url;
@@ -30,8 +33,8 @@ public String toString() {
         return "ServerUrl(" + url + '\'' + ", custom=" + custom + ')';
     }
 
-    public String getUrl() {
-        return url;
+    public SafeHtml getUrl() {
+        return SafeHtmlUtils.fromString(url);
     }
 
     public boolean isCustom() {