-
Patch
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins 2.138.2, OWASP Markup Formatter Plugin 1.5
The Jenkins UI and docs refer to the "Safe HTML" markup formatter. But there is really no such thing.
It is implemented by the "OWASP Markup Formatter Plugin" (which links to "plugins.jenkins.io/antisamy-markup-formatter").
The "jenkinsci/antisamy-markup-formatter project has a 1.5 tag", and appears to be what Jenkins bundles.
The plugin site mentions that policies are configurable, but there's no UI to configure policies. The "file with the extension in it, confusingly named RawHtmlMarkupFormatter" appears to have had any pluggability cut out, but the comment still reflects the old support:
{{ // Use the policy defined above to sanitize the HTML.}}
{{ HtmlSanitizer.sanitize(markup, MyspacePolicy.POLICY_DEFINITION.apply(renderer));}}
so in practice it looks like you can only use the copy of the MyspacePolicy embedded in the plugin code.
Hopefully this helps the next person who is utterly confused by this, when trying to figure out how to configure the "Safe HTML" formatter policy, allow additional tags in the "Safe HTML" markup formatter in Jenkins, etc.