Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59056

Report displays raw HTML if CDATA terms are used

    XMLWordPrintable

Details

    Description

      After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML.

      With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href

      Sample xml generating the 'ACTIONS' example tab is attached 

      Attachments

        Activity

          ioannis Ioannis Moutsatsos added a comment - - edited

          After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

           

          They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

          Finally a workaround is offered, which I'm using until the plugin is fixed. See https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

          ioannis Ioannis Moutsatsos added a comment - - edited After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening  The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'   They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.' Finally a workaround is offered, which I'm using until the plugin is fixed. See  https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities
          olejara Adam Olejar added a comment -

          How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

           

          olejara Adam Olejar added a comment - How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.  

          olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

          java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          ioannis Ioannis Moutsatsos added a comment - olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like: java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          People

            Unassigned Unassigned
            ioannis Ioannis Moutsatsos
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: