[SECURITY-2792]

Author: daniel-beck

src/main/java/org/jenkinsci/plugins/badge/StatusImage.java

@@ -8,6 +8,7 @@
 package org.jenkinsci.plugins.badge;
 
 import java.net.MalformedURLException;
+import java.util.Arrays;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.io.IOUtils;
@@ -105,13 +106,12 @@ class StatusImage implements HttpResponse {
         if (status != null) status = StringEscapeUtils.escapeHtml(status);
         if (animatedColorName != null) animatedColorName = StringEscapeUtils.escapeHtml(animatedColorName);
         if (colorName != null) colorName = StringEscapeUtils.escapeHtml(colorName);
-        if (style != null) style = StringEscapeUtils.escapeHtml(style);
         if (link != null) link = StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeHtml(link)); // double-escape because concatenating into an attribute effectively removes one level of quoting
 
         if (baseUrl != null) {
             etag = Jenkins.RESOURCE_PATH + '/' + subject + status + colorName + animatedColorName + style;
 
-            if (style == null) {
+            if (style == null || !Arrays.asList("flat-square", "plastic").contains(style)) { // explicitly list allowed values for SECURITY-2792
                 style = "flat";
             }