-
Bug
-
Resolution: Fixed
-
Major
-
None
One of my tests outputs text that contains what looks like an HTML tag:
ok 19 - msg is "defO01<<TRUNCATED>>"
The Description column for this test on the TAP Extended Test Results page looks like this:
- msg is "defO01<>"
When I browse the source HTML for this section of the page, the text from the TAP output is definitely not being escaped. This could lead to cross-site scripting issues.
[JENKINS-19676] TAP test description does not get escaped
Code changed in jenkins
User: Bruno P. Kinoshita
Path:
src/main/resources/org/tap4j/plugin/tags/comments.jelly
src/main/resources/org/tap4j/plugin/tags/directive.jelly
src/main/resources/org/tap4j/plugin/tags/line.jelly
src/main/resources/org/tap4j/plugin/tags/status.jelly
src/main/resources/org/tap4j/plugin/tags/yaml.jelly
http://jenkins-ci.org/commit/tap-plugin/763784d63b0eccb846c976b3392bdd28ed40b7e1
Log:
[FIXED JENKINS-19676] Add jelly header to prevent XSS in taglib pages
Thanks for confirming it Andrew. I will try to start another development cycle this weekend to clean some more of the issues in the tap-plugin. Then I will tackle the big ones, that involve performance, threads, classloaders, and will require more time :o) so stay tuned for more releases, possibly a 2.0 in the next days/weeks
Bruno
Hi, sorry for taking so long to fix this issue. Working on it at the moment.
Here's the Jelly docs about XSS. I didn't know about this neat trick. A single line to fix this security issue. I'll check if we can add it in a few other files as well, without breaking anything.
https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention