CVE-2025-2901: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

The vulnerability is a stored XSS caused by improper sanitization of user-supplied server URLs before storage, and lack of adequate sanitization when rendering these stored URLs. The analysis of the patch commit 216de3b8aa82ea92df10cc296d88c68467cf2c52 reveals several key changes:

1. Input Hardening: The ServerActions.editUrl method, which previously accepted a free-form string for the server URL, was changed to use a structured form (scheme, host, port). This restricts the user's ability to inject malicious script into the URL components during input.
2. Data Storage and Retrieval: The ServerUrl class was refactored to handle these structured components and its getUrl() method now primarily constructs the URL from these parts, returning a raw String instead of SafeHtml.
3. Sanitization at Rendering:
   • In ServerActions, when displaying the server URL, explicit sanitization (SafeHtmlUtils.fromString()) was added before injecting the URL into HTML. This is a direct fix for an XSS rendering point.
   • In DeploymentPreview, the server URL (now a raw string) is used directly in an href attribute. This remains a potential execution point if a malicious URL could still be formed and stored, despite input hardening.
   • In RestResourcePreview, the server URL (raw string) is passed to another method, specifyParameters. This is another point where the malicious stored data is processed.

The identified vulnerable functions are either responsible for the initial flawed input (ServerActions.editUrl in its vulnerable state), or are points where the stored malicious URL is rendered or processed, leading to XSS execution (the onSuccess methods in ServerActions, DeploymentPreview, and RestResourcePreview). The commit addresses the vulnerability by modifying these input and rendering pathways.