Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55599

Blue Ocean markup formatter

    XMLWordPrintable

Details

    Description

      Blue ocean does nut use any markup formatter for the build description. I use the owasp markup formatter to create an html description. In the "old" frontend it's getting displayed correctly but in BlueOcean it only shows the html code.

      Attachments

        Issue Links

          Activity

            halkeye Gavin Mogan added a comment -

            A PR (https://github.com/jenkinsci/blueocean-plugin/pull/1940) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up.

            I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented

            dvdliao commented 12 days ago
            We are setting the build description in our own jenkins library that does the gcs uploading
            currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here

            halkeye commented 12 days ago

            If we could safely guarentee that the run.description is safe html, then

            https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16
            could be updated to something like:

            <Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} />
            But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first.

            halkeye commented 12 days ago
            I don't know the API offhand, but a quick search of jenkins codebase I found:

            https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152

            So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere.

            I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future.

            halkeye commented 9 days ago
            I would also make a new @exported field that is like filteredDescription or
            something, so we don't ever accidently forget a description somewhere and
            accidently cause xss

            halkeye Gavin Mogan added a comment - A PR ( https://github.com/jenkinsci/blueocean-plugin/pull/1940 ) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up. I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented dvdliao commented 12 days ago We are setting the build description in our own jenkins library that does the gcs uploading currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here halkeye commented 12 days ago If we could safely guarentee that the run.description is safe html, then https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16 could be updated to something like: <Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} /> But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first. halkeye commented 12 days ago I don't know the API offhand, but a quick search of jenkins codebase I found: https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152 So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere. I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future. halkeye commented 9 days ago I would also make a new @exported field that is like filteredDescription or something, so we don't ever accidently forget a description somewhere and accidently cause xss
            owenmehegan Owen Mehegan added a comment -

            Many people may just want this support so that they can create clickable URLs. If that is all that is desired, printing the URL in an `echo` step will render it clickable in the Blue Ocean build UI. See https://github.com/jenkinsci/blueocean-plugin/pull/1400 

            owenmehegan Owen Mehegan added a comment - Many people may just want this support so that they can create clickable URLs. If that is all that is desired, printing the URL in an `echo` step will render it clickable in the Blue Ocean build UI. See  https://github.com/jenkinsci/blueocean-plugin/pull/1400  

            Not just links. We want to use the description with formatting the text. So it would be nice, if this could be possible.

            mlmnetcologne Maurice Léon Mertens added a comment - Not just links. We want to use the description with formatting the text. So it would be nice, if this could be possible.

            When introducing new parameters, it would IMHO help users (people running the jobs) a lot if one could display a short parameter title (not the name) and also a longer description. With HTML/formatting support, it would be possible to e.g. make the short title <bold> and the description <small> and maybe give it a light color. In the normal Jenkins interface for parametrized jobs, this works - but unfortunately not in the Blue Ocean plugin.

            rec Richard Eckart de Castilho added a comment - When introducing new parameters, it would IMHO help users (people running the jobs) a lot if one could display a short parameter title (not the name) and also a longer description. With HTML/formatting support, it would be possible to e.g. make the short title <bold>  and the description <small>  and maybe give it a light color. In the normal Jenkins interface for parametrized jobs, this works - but unfortunately not in the Blue Ocean plugin.
            thehosh Hosh added a comment -

            halkeye will this eventually get looked at? Regarding sanitising, there is react-sanitized-html which seems to be using a popular JS sanitisation library. Could possible set the rule to be similar, or equal to the antisamy-markup-formatter plugin.

            Also, I tried manually setting some basic HTML within the dom, it seems to be mostly okay, except for in the lists. E.g. in my case I added a table and a few divs one after the other, which caused flex to mess it all up.

            thehosh Hosh added a comment - halkeye will this eventually get looked at? Regarding sanitising, there is react-sanitized-html which seems to be using a popular JS sanitisation library. Could possible set the rule to be similar, or equal to the antisamy-markup-formatter plugin. Also, I tried manually setting some basic HTML within the dom, it seems to be mostly okay, except for in the lists. E.g. in my case I added a table and a few divs one after the other, which caused flex to mess it all up.
            halkeye Gavin Mogan added a comment -

            It might. I left the team over a year ago now, so I have no insight into whats done and whats not done.

            Like everything jenkins, blue ocean is open source and priorities are determined by its volunteers. Your more than welcome to try and fix it, but otherwise you'll have to either wait, or sponsor a 3rd party developer to try and fix it.

            halkeye Gavin Mogan added a comment - It might. I left the team over a year ago now, so I have no insight into whats done and whats not done. Like everything jenkins, blue ocean is open source and priorities are determined by its volunteers. Your more than welcome to try and fix it, but otherwise you'll have to either wait, or sponsor a 3rd party developer to try and fix it.
            thehosh Hosh added a comment -

            Excuse me, I hadn't realised you had left! Sorry to bother.

            thehosh Hosh added a comment - Excuse me, I hadn't realised you had left! Sorry to bother.

            People

              Unassigned Unassigned
              tschechniker Tobias Tschech
              Votes:
              7 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated: