Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22028

HTML in job description does not get rendered (all html tags escaped)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • core
    • None
    • Ubuntu, Tomcat 7.0.52, jenkins war distribution

    Description

      We have html job descriptions for most of our jobs. Since upgrading to the latest jenkins version 1.553 (from 1.538) the html tags do not get rendered. Instead plain html code is shown.

      The same applies for the "Preview" when editing the job description.

      Attachments

        Issue Links

          Activity

            stefanthurnherr Stefan Thurnherr created issue -
            cb372 cb372 added a comment -

            Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious:

            Split the “raw HTML” markup formatter out of core into a bundled plugin.

            cb372 cb372 added a comment - Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious: Split the “raw HTML” markup formatter out of core into a bundled plugin.
            belpk K P added a comment - - edited

            Same issue since 1.553.

            Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability...

            Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

            belpk K P added a comment - - edited Same issue since 1.553. Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability... Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.
            albers Harald Albers added a comment -

            In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin.
            This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML, which escapes all HTML.
            You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

            albers Harald Albers added a comment - In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin. This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML , which escapes all HTML. You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.
            gpatten Grant Patten added a comment -

            I'm seeing this same issue with 1.553.

            On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits. I'm not seeing a Markup Formatter option on that page.

            gpatten Grant Patten added a comment - I'm seeing this same issue with 1.553. On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits . I'm not seeing a Markup Formatter option on that page.
            albers Harald Albers added a comment -

            The Markup Formatter option is only available if you Enable security.

            It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML.

            I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits,

            albers Harald Albers added a comment - The Markup Formatter option is only available if you Enable security . It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML . I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits ,

            The workaround described above worked for us:
            "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option).

            Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".

            stefanthurnherr Stefan Thurnherr added a comment - The workaround described above worked for us: "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option). Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".
            truc Truc Nguyen made changes -
            Field Original Value New Value
            Link This issue is duplicated by JENKINS-22266 [ JENKINS-22266 ]

            I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not.
            I do have RAW HTML enabled and other HTML is rendered OK.

            pablaasmo Per Arnold Blaasmo added a comment - I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not. I do have RAW HTML enabled and other HTML is rendered OK.

            We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

            exelerus Edin Mujkanovic added a comment - We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

            I have the same issue when migrating from 1.538 to 1.560

            wesleyarchbell Wesley Archbell added a comment - I have the same issue when migrating from 1.538 to 1.560
            bindwood shans zoe added a comment -

            I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well

            bindwood shans zoe added a comment - I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well
            danielbeck Daniel Beck added a comment -

            pablaasmo: Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.

            danielbeck Daniel Beck added a comment - pablaasmo : Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.
            danielbeck Daniel Beck added a comment -

            Allow configuring the markup formatter without requiring "Enable Security":
            https://github.com/jenkinsci/jenkins/pull/1235

            Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior:
            https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1

            danielbeck Daniel Beck added a comment - Allow configuring the markup formatter without requiring "Enable Security": https://github.com/jenkinsci/jenkins/pull/1235 Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3374
            [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664)
            JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc)

            Result = SUCCESS
            daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664
            Files :

            • core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            • core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            • core/src/main/java/jenkins/model/Jenkins.java

            Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc
            Files :

            • changelog.html
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3374 [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664) JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc) Result = SUCCESS daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664 Files : core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc Files : changelog.html
            danielbeck Daniel Beck added a comment -

            The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection).

            Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin.

            In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this.

            If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.

            danielbeck Daniel Beck added a comment - The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection). Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin. In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this. If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.
            danielbeck Daniel Beck made changes -
            Assignee Daniel Beck [ danielbeck ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664
            Log:
            [FIX JENKINS-22028] Allow MarkupFormatter without enabling security

            Given the current default of 'Escaped HTML', it makes no sense
            to require users to 'Enable Security' to set up a less secure
            alternative. So show it on the global security configuration page
            on top level.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664 Log: [FIX JENKINS-22028] Allow MarkupFormatter without enabling security Given the current default of 'Escaped HTML', it makes no sense to require users to 'Enable Security' to set up a less secure alternative. So show it on the global security configuration page on top level.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16
            Log:
            Merge branch 'JENKINS-22028' of github.com:daniel-beck/jenkins

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16 Log: Merge branch ' JENKINS-22028 ' of github.com:daniel-beck/jenkins
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/f3943a4ef707697e4cd512463c81b07f9bec95bc Log: JENKINS-22028 Noting merge of #1235. Compare: https://github.com/jenkinsci/jenkins/compare/b8c3f61c907d...f3943a4ef707
            bazzargh bazzargh added a comment -

            The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)

            bazzargh bazzargh added a comment - The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)

            Code changed in jenkins
            User: Daniel Beck
            Path:
            changelog.html
            http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf
            Log:
            JENKINS-22028 was only fixed in 1.565

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf Log: JENKINS-22028 was only fixed in 1.565

            I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.

            roop_vijay Roop Vijay Singh added a comment - I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.
            danielbeck Daniel Beck added a comment -

            roop_vijay: Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.

            danielbeck Daniel Beck added a comment - roop_vijay : Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.

            Thank you Very much Daniel.
            It works.

            roop_vijay Roop Vijay Singh added a comment - Thank you Very much Daniel. It works.

            I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?

            frvge Frank van Gemeren added a comment - I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?
            frvge Frank van Gemeren made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            danielbeck Daniel Beck added a comment -

            Make sure Antisamy Markup Formatter plugin is installed and enabled.

            I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.

            danielbeck Daniel Beck added a comment - Make sure Antisamy Markup Formatter plugin is installed and enabled. I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.
            danielbeck Daniel Beck made changes -
            Resolution Fixed [ 1 ]
            Status Reopened [ 4 ] Resolved [ 5 ]

            Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.

            frvge Frank van Gemeren added a comment - Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.
            danielbeck Daniel Beck added a comment -

            Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.

            danielbeck Daniel Beck added a comment - Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.
            legolas Arnt Witteveen made changes -
            Link This issue is related to JENKINS-26565 [ JENKINS-26565 ]

            I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.

            warden Radek Antoniuk added a comment - I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.
            jglick Jesse Glick added a comment -

            warden file a PR to change the UI labels to refer to “plain text”.

            jglick Jesse Glick added a comment - warden file a PR to change the UI labels to refer to “plain text”.

            Code changed in jenkins
            User: Radek Antoniuk
            Path:
            core/src/main/resources/hudson/markup/Messages.properties
            http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a
            Log:
            JENKINS-22028 - update label to reflect actual behavior

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Radek Antoniuk Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a Log: JENKINS-22028 - update label to reflect actual behavior

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/hudson/markup/Messages.properties
            http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d
            Log:
            Merge pull request #1742 from QUIDDIA/master

            JENKINS-22028 update label to reflect actual behavior

            Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d Log: Merge pull request #1742 from QUIDDIA/master JENKINS-22028 update label to reflect actual behavior Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5
            jsdevel Joseph Spencer made changes -
            Attachment info-message.png [ 31405 ]
            jsdevel Joseph Spencer added a comment - - edited

            Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2

            jsdevel Joseph Spencer added a comment - - edited Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2
            jsdevel Joseph Spencer made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            jsdevel Joseph Spencer made changes -
            Attachment info-message.png [ 31405 ]
            jsdevel Joseph Spencer made changes -
            Attachment Screen Shot 2015-12-08 at 11.41.59 PM.jpg [ 31406 ]
            jsdevel Joseph Spencer made changes -
            Attachment Screen Shot 2015-12-08 at 11.41.59 PM.jpg [ 31406 ]
            jsdevel Joseph Spencer made changes -
            Attachment info-message.png [ 31407 ]
            jsdevel Joseph Spencer made changes -
            jsdevel Joseph Spencer made changes -
            Attachment info-message.png [ 31407 ]
            jsdevel Joseph Spencer made changes -
            Assignee Daniel Beck [ danielbeck ] Joseph Spencer [ jsdevel ]
            jsdevel Joseph Spencer added a comment - Pending PR https://github.com/kogosoftwarellc/jenkins/pull/1
            danielbeck Daniel Beck added a comment -

            First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied.

            Second, nobody on this tracker cares about PRs to your own forks of Jenkins.

            danielbeck Daniel Beck added a comment - First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied. Second, nobody on this tracker cares about PRs to your own forks of Jenkins.
            danielbeck Daniel Beck made changes -
            Assignee Joseph Spencer [ jsdevel ]
            Resolution Fixed [ 1 ]
            Status Reopened [ 4 ] Resolved [ 5 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 154105 ] JNJira + In-Review [ 194791 ]

            People

              Unassigned Unassigned
              stefanthurnherr Stefan Thurnherr
              Votes:
              10 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: