-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Ubuntu, Tomcat 7.0.52, jenkins war distribution
-
Powered by SuggestiMate
We have html job descriptions for most of our jobs. Since upgrading to the latest jenkins version 1.553 (from 1.538) the html tags do not get rendered. Instead plain html code is shown.
The same applies for the "Preview" when editing the job description.
- is duplicated by
-
JENKINS-22266 HTML content remains escaped in system message and job descriptions
-
- Closed
-
- is related to
-
JENKINS-26565 Show both 'names' of plugins
-
- Open
-
[JENKINS-22028] HTML in job description does not get rendered (all html tags escaped)
Same issue since 1.553.
Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability...
Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.
In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin.
This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML, which escapes all HTML.
You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.
I'm seeing this same issue with 1.553.
On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits. I'm not seeing a Markup Formatter option on that page.
The Markup Formatter option is only available if you Enable security.
It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML.
I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits,
The workaround described above worked for us:
"Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option).
Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".
I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not.
I do have RAW HTML enabled and other HTML is rendered OK.
We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.
I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well
pablaasmo: Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.
Allow configuring the markup formatter without requiring "Enable Security":
https://github.com/jenkinsci/jenkins/pull/1235
Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior:
https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1
Integrated in jenkins_main_trunk #3374
[FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664)
JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc)
Result = SUCCESS
daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664
Files :
- core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
- core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
- core/src/main/java/jenkins/model/Jenkins.java
Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc
Files :
- changelog.html
The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection).
Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin.
In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this.
If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.
Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664
Log:
[FIX JENKINS-22028] Allow MarkupFormatter without enabling security
Given the current default of 'Escaped HTML', it makes no sense
to require users to 'Enable Security' to set up a less secure
alternative. So show it on the global security configuration page
on top level.
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16
Log:
Merge branch 'JENKINS-22028' of github.com:daniel-beck/jenkins
Code changed in jenkins
User: Jesse Glick
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/f3943a4ef707697e4cd512463c81b07f9bec95bc
Log:
JENKINS-22028 Noting merge of #1235.
Compare: https://github.com/jenkinsci/jenkins/compare/b8c3f61c907d...f3943a4ef707
The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)
Code changed in jenkins
User: Daniel Beck
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf
Log:
JENKINS-22028 was only fixed in 1.565
I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.
roop_vijay: Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.
I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?
Make sure Antisamy Markup Formatter plugin is installed and enabled.
I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.
Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.
Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.
I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.
Code changed in jenkins
User: Radek Antoniuk
Path:
core/src/main/resources/hudson/markup/Messages.properties
http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a
Log:
JENKINS-22028 - update label to reflect actual behavior
Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/resources/hudson/markup/Messages.properties
http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d
Log:
Merge pull request #1742 from QUIDDIA/master
JENKINS-22028 update label to reflect actual behavior
Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5
Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2
First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied.
Second, nobody on this tracker cares about PRs to your own forks of Jenkins.
Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious: