• Type: Bug
• Resolution: Unresolved
• Priority: Major
• Component/s: summary_report-plugin
• Labels:

  • HTML
  • reporting
• Environment:

  Jenkins v 2.187 Summary Display Plugin v1.15

1. 

   image-2019-08-22-11-56-28-540.png

   73 kB

   2019-08-22 15:56

2. 

   image-2019-08-22-11-56-59-572.png

   99 kB

   2019-08-22 15:57

3. actions.xml

   3 kB

   2019-08-22 16:02

[JENKINS-59056] Report displays raw HTML if CDATA terms are used

Ioannis Moutsatsos created issue - 2019-08-22 16:03

Ioannis Moutsatsos made changes - 2019-08-22 16:26

Description

Original: After upgrading the plugin from v 1.13 the HTML is no loger rendered, but instead it is displayed as raw HTML. !image-2019-08-22-11-56-28-540.png! With the v1.13 version !image-2019-08-22-11-56-59-572.png! Sample xml generating the 'ACTIONS' example tab is attached

New: After upgrading the plugin from v 1.13 the HTML is no longer rendered, but instead it is displayed as raw HTML. !image-2019-08-22-11-56-28-540.png! With the v1.13 version !image-2019-08-22-11-56-59-572.png! Sample xml generating the 'ACTIONS' example tab is attached

Ioannis Moutsatsos made changes - 2019-08-23 19:43

Description

Original: After upgrading the plugin from v 1.13 the HTML is no longer rendered, but instead it is displayed as raw HTML. !image-2019-08-22-11-56-28-540.png! With the v1.13 version !image-2019-08-22-11-56-59-572.png! Sample xml generating the 'ACTIONS' example tab is attached

New: After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML. !image-2019-08-22-11-56-28-540.png! With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href !image-2019-08-22-11-56-59-572.png! Sample xml generating the 'ACTIONS' example tab is attached

Ioannis Moutsatsos made changes - 2019-08-23 19:44

Summary

Original: HTML in report no longer renders but displays as raw HTML

New: HTML in report displays as raw HTML if CDATA terms are used

Collapse comment: Ioannis Moutsatsos added a comment - 2019-08-23 19:51, Edited by Ioannis Moutsatsos - 2019-08-23 20:21

Ioannis Moutsatsos added a comment - 2019-08-23 19:51 - edited

After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

 

They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

Finally a workaround is offered, which I'm using until the plugin is fixed. See https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

Expand comment: Ioannis Moutsatsos added a comment - 2019-08-23 19:51, Edited by Ioannis Moutsatsos - 2019-08-23 20:21

Ioannis Moutsatsos added a comment - 2019-08-23 19:51 - edited After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening  The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'   They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.' Finally a workaround is offered, which I'm using until the plugin is fixed. See  https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

Ioannis Moutsatsos made changes - 2019-08-23 19:59

Summary

Original: HTML in report displays as raw HTML if CDATA terms are used

New: Report displays raw HTML if CDATA terms are used

Collapse comment: Adam Olejar added a comment - 2020-01-18 13:34

Adam Olejar added a comment - 2020-01-18 13:34

How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

 

Expand comment: Adam Olejar added a comment - 2020-01-18 13:34

Adam Olejar added a comment - 2020-01-18 13:34 How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.  

Collapse comment: Ioannis Moutsatsos added a comment - 2020-04-17 16:11

Ioannis Moutsatsos added a comment - 2020-04-17 16:11

olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

Expand comment: Ioannis Moutsatsos added a comment - 2020-04-17 16:11

Ioannis Moutsatsos added a comment - 2020-04-17 16:11 olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like: java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080