Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43380

Input parameter HTML description not working

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • active-choices-plugin
    • None
    • Ubuntu 16.04.2
      OpenJDK8
      Jenkins v2.46.1 LTS
      Active Choices Plug-in 1.4
      Matrix Configuration Parameter Plugin 1.1.0

      After upgrading to Ubuntu 16.04.2 and Jenkins 2.46.1,
      some of input parameter HTML description stops to work.

        1. uno-choice.hpi
          242 kB
        2. config.xml
          3 kB
        3. Screenshot_2017-12-28_14-05-29.png
          Screenshot_2017-12-28_14-05-29.png
          39 kB
        4. Screenshot_2017-07-06_23-47-55.png
          Screenshot_2017-07-06_23-47-55.png
          70 kB
        5. Screenshot_2017-07-06_23-48-07.png
          Screenshot_2017-07-06_23-48-07.png
          61 kB
        6. Screenshot from 2017-07-06 23-04-40.png
          Screenshot from 2017-07-06 23-04-40.png
          48 kB
        7. Screenshot_2017-07-06_23-48-07.png
          Screenshot_2017-07-06_23-48-07.png
          61 kB
        8. Screenshot from 2017-07-06 23-04-40.png
          Screenshot from 2017-07-06 23-04-40.png
          48 kB
        9. Selection_002.png
          Selection_002.png
          49 kB
        10. Selection_001.png
          Selection_001.png
          73 kB

          [JENKINS-43380] Input parameter HTML description not working

          Rick Liu created issue -

          Rick Liu added a comment -

          Same as JENKINS-43381
          Caused by the fix for SECURITY-353 in https://jenkins.io/security/advisory/2017-02-01/

          Rick Liu added a comment - Same as JENKINS-43381 Caused by the fix for SECURITY-353 in https://jenkins.io/security/advisory/2017-02-01/

          Ioannis Moutsatsos added a comment - - edited

          This is most likely not an Active Choices related issue.

          Have you tried this:

          1. Go to http://yourjenkinsserver:8080/configureSecurity (Or click on ‘Manage Jenkins’->’Configure Global Security’ links)
          2. In the ‘Markup Formatter’ drop down box select ‘Safe HTML’

          This allows HTML to be used in the description of projects and parameters and is required for correct display of Jenkins-LSCI job forms.

          Ioannis Moutsatsos added a comment - - edited This is most likely not an Active Choices related issue. Have you tried this: Go to http://yourjenkinsserver:8080/configureSecurity  (Or click on ‘Manage Jenkins’->’Configure Global Security’ links) In the ‘Markup Formatter’ drop down box select ‘Safe HTML’ This allows HTML to be used in the description of projects and parameters and is required for correct display of Jenkins-LSCI job forms.

          Daniel Beck added a comment -

          ioannis Actually it is (sort of). To fix a vulnerability affecting all parameter types, core and plugins, the Feb 1 security fix changed all parameter types from having description printed verbatim to escaping them. They need to adapt using the same fix as https://github.com/jenkinsci/jenkins/blob/33942677d4887c1ab68f2430e734efe35943b506/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly#L29...L30

          The first line disables the mandatory escaping, the second lines escapes the values rather than printing them raw. https://github.com/jenkinsci/active-choices-plugin/blob/8a97011b547cde9520929a1370e38c0b3a4972ef/src/main/resources/org/biouno/unochoice/common/choiceParameterCommon.jelly#L8 does neither.

          Daniel Beck added a comment - ioannis Actually it is (sort of). To fix a vulnerability affecting all parameter types, core and plugins, the Feb 1 security fix changed all parameter types from having description printed verbatim to escaping them. They need to adapt using the same fix as https://github.com/jenkinsci/jenkins/blob/33942677d4887c1ab68f2430e734efe35943b506/core/src/main/resources/hudson/model/StringParameterDefinition/index.jelly#L29...L30 The first line disables the mandatory escaping, the second lines escapes the values rather than printing them raw. https://github.com/jenkinsci/active-choices-plugin/blob/8a97011b547cde9520929a1370e38c0b3a4972ef/src/main/resources/org/biouno/unochoice/common/choiceParameterCommon.jelly#L8 does neither.
          Bruno P. Kinoshita made changes -
          Attachment New: Screenshot from 2017-07-06 23-04-40.png [ 38770 ]

          Bruno P. Kinoshita added a comment -

          Giving it a try before logging off

          First attaching a screen shot with the old Jenkins behaviour (taken running mvn clean hpi:run within Eclipse)

          Bruno P. Kinoshita added a comment - Giving it a try before logging off First attaching a screen shot with the old Jenkins behaviour (taken running mvn clean hpi:run within Eclipse)
          Bruno P. Kinoshita made changes -
          Attachment New: Screenshot_2017-07-06_23-48-07.png [ 38771 ]
          Attachment New: Screenshot from 2017-07-06 23-04-40.png [ 38772 ]
          Bruno P. Kinoshita made changes -
          Attachment New: Screenshot_2017-07-06_23-47-55.png [ 38773 ]
          Attachment New: Screenshot_2017-07-06_23-48-07.png [ 38774 ]

          Bruno P. Kinoshita added a comment -

          The fix seems easy. But I may not have understood the issue very well. At least I don't seem to be able to reproduce it with the latest version of the plug-in, updating java.version=7, jenkins-plugin to 2.3, and jenkins.version to 2.7.4.

           

          Bruno P. Kinoshita added a comment - The fix seems easy. But I may not have understood the issue very well. At least I don't seem to be able to reproduce it with the latest version of the plug-in, updating java.version=7, jenkins-plugin to 2.3, and jenkins.version to 2.7.4.  

          Daniel Beck added a comment -

          kinow

           jenkins.version to 2.7.4.

          No surprise there, SECURITY-353 was only fixed in 2.32.2: https://jenkins.io/security/advisory/2017-02-01/

          Daniel Beck added a comment - kinow  jenkins.version to 2.7.4. No surprise there, SECURITY-353 was only fixed in 2.32.2: https://jenkins.io/security/advisory/2017-02-01/

            kinow Bruno P. Kinoshita
            totoroliu Rick Liu
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: