• Type: Bug
• Resolution: Unresolved
• Priority: Minor
• Component/s: upstream-downstream-view-plugin
• Labels:

  None
• Environment:

  Jenkins 2.138.2

[JENKINS-54124] Raw HTML when Stapler Security Hardening enabled

Yura Kovalenko created issue - 2018-10-17 11:13

Yura Kovalenko made changes - 2018-10-17 11:13

Description

Original: After upgrading to 2.138.2 all the links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

New: After upgrading to 2.138.2 all links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

Yura Kovalenko made changes - 2018-10-17 11:25

Description

Original: After upgrading to 2.138.2 all links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

New: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help.

Collapse comment: Daniel Beck added a comment - 2018-10-17 13:51

Daniel Beck added a comment - 2018-10-17 13:51

Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted here doesn't help.

Don't set it in the script console, set it on startup, before the UI could be cached.

Expand comment: Daniel Beck added a comment - 2018-10-17 13:51

Daniel Beck added a comment - 2018-10-17 13:51 Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted here  doesn't help. Don't set it in the script console, set it on startup, before the UI could be cached.

Collapse comment: Yura Kovalenko added a comment - 2018-10-17 14:43

Yura Kovalenko added a comment - 2018-10-17 14:43

danielbeck thanks, was my bad - needed to full-restart Jenkins with "service jenkins restart"

Expand comment: Yura Kovalenko added a comment - 2018-10-17 14:43

Yura Kovalenko added a comment - 2018-10-17 14:43 danielbeck thanks, was my bad - needed to full-restart Jenkins with "service jenkins restart"

Yura Kovalenko made changes - 2018-10-17 14:45

Description

Original: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help.

New: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  -Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help.- Setting org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

Collapse comment: Daniel Beck added a comment - 2018-10-28 18:39

Daniel Beck added a comment - 2018-10-28 18:39

Context: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening

Expand comment: Daniel Beck added a comment - 2018-10-28 18:39

Daniel Beck added a comment - 2018-10-28 18:39 Context: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening