Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54124

Raw HTML when Stapler Security Hardening enabled

XMLWordPrintable

      After upgrading to 2.138.2 all links in columns are shown in raw HTML.  Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted here doesn't help.

      Setting org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

          [JENKINS-54124] Raw HTML when Stapler Security Hardening enabled

          Yura Kovalenko created issue -
          Yura Kovalenko made changes -
          Description Original: After upgrading to 2.138.2 all the links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps. New: After upgrading to 2.138.2 all links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.
          Yura Kovalenko made changes -
          Description Original: After upgrading to 2.138.2 all links in columns are shown in raw HTML. As noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities], setting the system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps. New: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help.
          Yura Kovalenko made changes -
          Description Original: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help. New: After upgrading to 2.138.2 all links in columns are shown in raw HTML.  -Looks like setting system property org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false as noted [here|https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities] doesn't help.-

          Setting org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false helps.

            Unassigned Unassigned
            howaboutno Yura Kovalenko
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: