• Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • blueocean-plugin
    • None

      Blue ocean does nut use any markup formatter for the build description. I use the owasp markup formatter to create an html description. In the "old" frontend it's getting displayed correctly but in BlueOcean it only shows the html code.

          [JENKINS-55599] Blue Ocean markup formatter

          Gavin Mogan added a comment -

          A PR (https://github.com/jenkinsci/blueocean-plugin/pull/1940) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up.

          I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented

          dvdliao commented 12 days ago
          We are setting the build description in our own jenkins library that does the gcs uploading
          currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here

          halkeye commented 12 days ago

          If we could safely guarentee that the run.description is safe html, then

          https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16
          could be updated to something like:

          <Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} />
          But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first.

          halkeye commented 12 days ago
          I don't know the API offhand, but a quick search of jenkins codebase I found:

          https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152

          So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere.

          I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future.

          halkeye commented 9 days ago
          I would also make a new @exported field that is like filteredDescription or
          something, so we don't ever accidently forget a description somewhere and
          accidently cause xss

          Gavin Mogan added a comment - A PR ( https://github.com/jenkinsci/blueocean-plugin/pull/1940 ) came in to allow html in some fields. It wasn't the safe way to solve this problem but a bunch of notes came up. I've copied the comments, with a few lines deleted that don't make sense out of context. I think this is a newbie friendly task, so I want to make sure all the ideas are documented dvdliao commented 12 days ago We are setting the build description in our own jenkins library that does the gcs uploading currentBuild.description = "Artifacts are available <a href='link'>here</a>" Definitely cant be putting JSX in here halkeye commented 12 days ago If we could safely guarentee that the run.description is safe html, then https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-dashboard/src/main/js/components/karaoke/components/RunDescription.jsx#L16 could be updated to something like: <Alerts title={this.props.t('rundetail.pipeline.description')} message={<span dangerouslySetInnerHTML={{ __html: this.props.run.description }}</span>} /> But I don't think any of us are comfortably blindly trusting any user input at all to be html. It would have to go through the sanitizer first. halkeye commented 12 days ago I don't know the API offhand, but a quick search of jenkins codebase I found: https://github.com/jenkinsci/jenkins/blob/0795e89b308ec7fcbda097858d58763d8531be8c/core/src/main/java/hudson/model/ParameterDefinition.java#L141-L152 So i'd say the blueocean rest api needs to be updated to escape description everywhere, then ui needs to be updated to trust description everywhere. I'd say its a pretty quick task, maybe a day or two, perfect for a new contributor. the CB blueocean people probably won't get to it anytime soon, we are working on stability and bug fixes mainly for the immediate future. halkeye commented 9 days ago I would also make a new @exported field that is like filteredDescription or something, so we don't ever accidently forget a description somewhere and accidently cause xss

          Owen Mehegan added a comment -

          Many people may just want this support so that they can create clickable URLs. If that is all that is desired, printing the URL in an `echo` step will render it clickable in the Blue Ocean build UI. See https://github.com/jenkinsci/blueocean-plugin/pull/1400 

          Owen Mehegan added a comment - Many people may just want this support so that they can create clickable URLs. If that is all that is desired, printing the URL in an `echo` step will render it clickable in the Blue Ocean build UI. See  https://github.com/jenkinsci/blueocean-plugin/pull/1400  

          Not just links. We want to use the description with formatting the text. So it would be nice, if this could be possible.

          Maurice Léon Mertens added a comment - Not just links. We want to use the description with formatting the text. So it would be nice, if this could be possible.

          When introducing new parameters, it would IMHO help users (people running the jobs) a lot if one could display a short parameter title (not the name) and also a longer description. With HTML/formatting support, it would be possible to e.g. make the short title <bold> and the description <small> and maybe give it a light color. In the normal Jenkins interface for parametrized jobs, this works - but unfortunately not in the Blue Ocean plugin.

          Richard Eckart de Castilho added a comment - When introducing new parameters, it would IMHO help users (people running the jobs) a lot if one could display a short parameter title (not the name) and also a longer description. With HTML/formatting support, it would be possible to e.g. make the short title <bold>  and the description <small>  and maybe give it a light color. In the normal Jenkins interface for parametrized jobs, this works - but unfortunately not in the Blue Ocean plugin.

          Hosh added a comment -

          halkeye will this eventually get looked at? Regarding sanitising, there is react-sanitized-html which seems to be using a popular JS sanitisation library. Could possible set the rule to be similar, or equal to the antisamy-markup-formatter plugin.

          Also, I tried manually setting some basic HTML within the dom, it seems to be mostly okay, except for in the lists. E.g. in my case I added a table and a few divs one after the other, which caused flex to mess it all up.

          Hosh added a comment - halkeye will this eventually get looked at? Regarding sanitising, there is react-sanitized-html which seems to be using a popular JS sanitisation library. Could possible set the rule to be similar, or equal to the antisamy-markup-formatter plugin. Also, I tried manually setting some basic HTML within the dom, it seems to be mostly okay, except for in the lists. E.g. in my case I added a table and a few divs one after the other, which caused flex to mess it all up.

          Gavin Mogan added a comment -

          It might. I left the team over a year ago now, so I have no insight into whats done and whats not done.

          Like everything jenkins, blue ocean is open source and priorities are determined by its volunteers. Your more than welcome to try and fix it, but otherwise you'll have to either wait, or sponsor a 3rd party developer to try and fix it.

          Gavin Mogan added a comment - It might. I left the team over a year ago now, so I have no insight into whats done and whats not done. Like everything jenkins, blue ocean is open source and priorities are determined by its volunteers. Your more than welcome to try and fix it, but otherwise you'll have to either wait, or sponsor a 3rd party developer to try and fix it.

          Hosh added a comment -

          Excuse me, I hadn't realised you had left! Sorry to bother.

          Hosh added a comment - Excuse me, I hadn't realised you had left! Sorry to bother.

            Unassigned Unassigned
            tschechniker Tobias Tschech
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: