Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22028

HTML in job description does not get rendered (all html tags escaped)

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Ubuntu, Tomcat 7.0.52, jenkins war distribution

      We have html job descriptions for most of our jobs. Since upgrading to the latest jenkins version 1.553 (from 1.538) the html tags do not get rendered. Instead plain html code is shown.

      The same applies for the "Preview" when editing the job description.

          [JENKINS-22028] HTML in job description does not get rendered (all html tags escaped)

          Stefan Thurnherr created issue -

          cb372 added a comment -

          Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious:

          Split the “raw HTML” markup formatter out of core into a bundled plugin.

          cb372 added a comment - Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious: Split the “raw HTML” markup formatter out of core into a bundled plugin.

          K P added a comment - - edited

          Same issue since 1.553.

          Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability...

          Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

          K P added a comment - - edited Same issue since 1.553. Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability... Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

          Harald Albers added a comment -

          In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin.
          This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML, which escapes all HTML.
          You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

          Harald Albers added a comment - In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin. This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML , which escapes all HTML. You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

          Grant Patten added a comment -

          I'm seeing this same issue with 1.553.

          On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits. I'm not seeing a Markup Formatter option on that page.

          Grant Patten added a comment - I'm seeing this same issue with 1.553. On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits . I'm not seeing a Markup Formatter option on that page.

          Harald Albers added a comment -

          The Markup Formatter option is only available if you Enable security.

          It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML.

          I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits,

          Harald Albers added a comment - The Markup Formatter option is only available if you Enable security . It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML . I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits ,

          The workaround described above worked for us:
          "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option).

          Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".

          Stefan Thurnherr added a comment - The workaround described above worked for us: "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option). Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".
          Truc Nguyen made changes -
          Link New: This issue is duplicated by JENKINS-22266 [ JENKINS-22266 ]

          I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not.
          I do have RAW HTML enabled and other HTML is rendered OK.

          Per Arnold Blaasmo added a comment - I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not. I do have RAW HTML enabled and other HTML is rendered OK.

          We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

          Edin Mujkanovic added a comment - We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

            Unassigned Unassigned
            stefanthurnherr Stefan Thurnherr
            Votes:
            10 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: