Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59056

Report displays raw HTML if CDATA terms are used

XMLWordPrintable

      After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML.

      With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href

      Sample xml generating the 'ACTIONS' example tab is attached 

        1. actions.xml
          3 kB
        2. image-2019-08-22-11-56-28-540.png
          image-2019-08-22-11-56-28-540.png
          73 kB
        3. image-2019-08-22-11-56-59-572.png
          image-2019-08-22-11-56-59-572.png
          99 kB

          [JENKINS-59056] Report displays raw HTML if CDATA terms are used

          Ioannis Moutsatsos added a comment - - edited

          After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

           

          They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

          Finally a workaround is offered, which I'm using until the plugin is fixed. See https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

          Ioannis Moutsatsos added a comment - - edited After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening  The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'   They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.' Finally a workaround is offered, which I'm using until the plugin is fixed. See  https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

          Adam Olejar added a comment -

          How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

           

          Adam Olejar added a comment - How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.  

          Ioannis Moutsatsos added a comment -

          olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

          java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          Ioannis Moutsatsos added a comment - olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like: java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

            Unassigned Unassigned
            ioannis Ioannis Moutsatsos
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: