Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22028

HTML in job description does not get rendered (all html tags escaped)

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Ubuntu, Tomcat 7.0.52, jenkins war distribution

      We have html job descriptions for most of our jobs. Since upgrading to the latest jenkins version 1.553 (from 1.538) the html tags do not get rendered. Instead plain html code is shown.

      The same applies for the "Preview" when editing the job description.

          [JENKINS-22028] HTML in job description does not get rendered (all html tags escaped)

          cb372 added a comment -

          Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious:

          Split the “raw HTML” markup formatter out of core into a bundled plugin.

          cb372 added a comment - Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious: Split the “raw HTML” markup formatter out of core into a bundled plugin.

          K P added a comment - - edited

          Same issue since 1.553.

          Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability...

          Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

          K P added a comment - - edited Same issue since 1.553. Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability... Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

          Harald Albers added a comment -

          In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin.
          This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML, which escapes all HTML.
          You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

          Harald Albers added a comment - In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin. This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML , which escapes all HTML. You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

          Grant Patten added a comment -

          I'm seeing this same issue with 1.553.

          On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits. I'm not seeing a Markup Formatter option on that page.

          Grant Patten added a comment - I'm seeing this same issue with 1.553. On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits . I'm not seeing a Markup Formatter option on that page.

          Harald Albers added a comment -

          The Markup Formatter option is only available if you Enable security.

          It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML.

          I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits,

          Harald Albers added a comment - The Markup Formatter option is only available if you Enable security . It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML . I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits ,

          The workaround described above worked for us:
          "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option).

          Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".

          Stefan Thurnherr added a comment - The workaround described above worked for us: "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option). Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".

          I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not.
          I do have RAW HTML enabled and other HTML is rendered OK.

          Per Arnold Blaasmo added a comment - I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not. I do have RAW HTML enabled and other HTML is rendered OK.

          We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

          Edin Mujkanovic added a comment - We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

          I have the same issue when migrating from 1.538 to 1.560

          Wesley Archbell added a comment - I have the same issue when migrating from 1.538 to 1.560

          shans zoe added a comment -

          I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well

          shans zoe added a comment - I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well

          Daniel Beck added a comment -

          pablaasmo: Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.

          Daniel Beck added a comment - pablaasmo : Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.

          Daniel Beck added a comment -

          Allow configuring the markup formatter without requiring "Enable Security":
          https://github.com/jenkinsci/jenkins/pull/1235

          Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior:
          https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1

          Daniel Beck added a comment - Allow configuring the markup formatter without requiring "Enable Security": https://github.com/jenkinsci/jenkins/pull/1235 Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3374
          [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664)
          JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc)

          Result = SUCCESS
          daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664
          Files :

          • core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
          • core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
          • core/src/main/java/jenkins/model/Jenkins.java

          Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc
          Files :

          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #3374 [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664) JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc) Result = SUCCESS daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664 Files : core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc Files : changelog.html

          Daniel Beck added a comment -

          The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection).

          Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin.

          In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this.

          If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.

          Daniel Beck added a comment - The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection). Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin. In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this. If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
          http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664
          Log:
          [FIX JENKINS-22028] Allow MarkupFormatter without enabling security

          Given the current default of 'Escaped HTML', it makes no sense
          to require users to 'Enable Security' to set up a less secure
          alternative. So show it on the global security configuration page
          on top level.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664 Log: [FIX JENKINS-22028] Allow MarkupFormatter without enabling security Given the current default of 'Escaped HTML', it makes no sense to require users to 'Enable Security' to set up a less secure alternative. So show it on the global security configuration page on top level.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
          http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16
          Log:
          Merge branch 'JENKINS-22028' of github.com:daniel-beck/jenkins

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16 Log: Merge branch ' JENKINS-22028 ' of github.com:daniel-beck/jenkins

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/f3943a4ef707697e4cd512463c81b07f9bec95bc Log: JENKINS-22028 Noting merge of #1235. Compare: https://github.com/jenkinsci/jenkins/compare/b8c3f61c907d...f3943a4ef707

          bazzargh added a comment -

          The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)

          bazzargh added a comment - The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)

          Code changed in jenkins
          User: Daniel Beck
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf
          Log:
          JENKINS-22028 was only fixed in 1.565

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf Log: JENKINS-22028 was only fixed in 1.565

          I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.

          Roop Vijay Singh added a comment - I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.

          Daniel Beck added a comment -

          roop_vijay: Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.

          Daniel Beck added a comment - roop_vijay : Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.

          Thank you Very much Daniel.
          It works.

          Roop Vijay Singh added a comment - Thank you Very much Daniel. It works.

          I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?

          Frank van Gemeren added a comment - I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?

          Daniel Beck added a comment -

          Make sure Antisamy Markup Formatter plugin is installed and enabled.

          I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.

          Daniel Beck added a comment - Make sure Antisamy Markup Formatter plugin is installed and enabled. I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.

          Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.

          Frank van Gemeren added a comment - Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.

          Daniel Beck added a comment -

          Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.

          Daniel Beck added a comment - Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.

          I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.

          Radek Antoniuk added a comment - I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.

          Jesse Glick added a comment -

          warden file a PR to change the UI labels to refer to “plain text”.

          Jesse Glick added a comment - warden file a PR to change the UI labels to refer to “plain text”.

          Code changed in jenkins
          User: Radek Antoniuk
          Path:
          core/src/main/resources/hudson/markup/Messages.properties
          http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a
          Log:
          JENKINS-22028 - update label to reflect actual behavior

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Radek Antoniuk Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a Log: JENKINS-22028 - update label to reflect actual behavior

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/markup/Messages.properties
          http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d
          Log:
          Merge pull request #1742 from QUIDDIA/master

          JENKINS-22028 update label to reflect actual behavior

          Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d Log: Merge pull request #1742 from QUIDDIA/master JENKINS-22028 update label to reflect actual behavior Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5

          Joseph Spencer added a comment - - edited

          Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2

          Joseph Spencer added a comment - - edited Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2

          Joseph Spencer added a comment - Pending PR https://github.com/kogosoftwarellc/jenkins/pull/1

          Daniel Beck added a comment -

          First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied.

          Second, nobody on this tracker cares about PRs to your own forks of Jenkins.

          Daniel Beck added a comment - First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied. Second, nobody on this tracker cares about PRs to your own forks of Jenkins.

            Unassigned Unassigned
            stefanthurnherr Stefan Thurnherr
            Votes:
            10 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: