Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20917

TAP plugin - give options to escape or un-escape HTML output

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • tap-plugin
    • None

      TAP plugin version 1.16
      There is a fix that will escape HTML in the Comment output. However, there are cases where some people would use HTML to format their output (such as to output an anchor link).

        Description Directive
           
      <a href="somelink">Some Text</a>    

      From the Jenkins TAP result, we would want to see the text "Some Text" as a link to click on, rather than the whole anchor HTML text.

      Maybe an option in Jenkins configure to escape / un-escape HTML output would be great.

      For more information, please see this commit change:
      https://github.com/jenkinsci/tap-plugin/commit/52a7986dafe41d458a2aae500e517928aebfd310

      Thanks.

          [JENKINS-20917] TAP plugin - give options to escape or un-escape HTML output

          Andrew Johnson added a comment -

          This is a duplicate of issue https://issues.jenkins-ci.org/browse/JENKINS-19676 but suggests a better solution.

          Andrew Johnson added a comment - This is a duplicate of issue https://issues.jenkins-ci.org/browse/JENKINS-19676 but suggests a better solution.

          Bruno P. Kinoshita added a comment -

          Hi Lihn

          I don't see how we could have a fine grained option, to allow only certain parts of the output to allow the unescaped content. So I think we would need a flag that either blocks all HTML content, or allows it.

          We have recently fixed similar issue as Andrew pointed (big thanks ) following the Jenkins Jelly guide lines for XSS prevention:

          https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention

          It is not impossible to have a flag that would disable the XSS prevention. That would allow you to use an HTML link in your output.... but that would also add a security issue.

          Maybe we could think about something in the diagnostics with YAMLish?

          Bruno P. Kinoshita added a comment - Hi Lihn I don't see how we could have a fine grained option, to allow only certain parts of the output to allow the unescaped content. So I think we would need a flag that either blocks all HTML content, or allows it. We have recently fixed similar issue as Andrew pointed (big thanks ) following the Jenkins Jelly guide lines for XSS prevention: https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention It is not impossible to have a flag that would disable the XSS prevention. That would allow you to use an HTML link in your output.... but that would also add a security issue. Maybe we could think about something in the diagnostics with YAMLish?

            kinow Bruno P. Kinoshita
            linhpham Linh Pham
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: