A PR (https://github.com/jenkinsci/blueocean-plugin/pull/1940) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up.
I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented
dvdliao commented 12 days ago
We are setting the build description in our own jenkins library that does the gcs uploading
currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here
halkeye commented 12 days ago
If we could safely guarentee that the run.description is safe html, then
https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16
could be updated to something like:
<Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} />
But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first.
halkeye commented 12 days ago
I don't know the API offhand, but a quick search of jenkins codebase I found:
https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152
So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere.
I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future.
halkeye commented 9 days ago
I would also make a new @exported field that is like filteredDescription or
something, so we don't ever accidently forget a description somewhere and
accidently cause xss
A PR (https://github.com/jenkinsci/blueocean-plugin/pull/1940) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up.
I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented
dvdliao commented 12 days ago
We are setting the build description in our own jenkins library that does the gcs uploading
currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here
halkeye commented 12 days ago
If we could safely guarentee that the run.description is safe html, then
https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16
could be updated to something like:
<Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} />
But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first.
halkeye commented 12 days ago
I don't know the API offhand, but a quick search of jenkins codebase I found:
https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152
So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere.
I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future.
halkeye commented 9 days ago
I would also make a new @exported field that is like filteredDescription or
something, so we don't ever accidently forget a description somewhere and
accidently cause xss