Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59056

Report displays raw HTML if CDATA terms are used

    XMLWordPrintable

Details

    Description

      After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML.

      With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href

      Sample xml generating the 'ACTIONS' example tab is attached 

      Attachments

        Activity

          ioannis Ioannis Moutsatsos created issue -
          ioannis Ioannis Moutsatsos made changes -
          Field Original Value New Value
          Description After upgrading the plugin from v 1.13 the HTML is no loger rendered, but instead it is displayed as raw HTML.

          !image-2019-08-22-11-56-28-540.png!

          With the v1.13 version

          !image-2019-08-22-11-56-59-572.png!

          Sample xml generating the 'ACTIONS' example tab is attached 
          After upgrading the plugin from v 1.13 the HTML is no longer rendered, but instead it is displayed as raw HTML.

          !image-2019-08-22-11-56-28-540.png!

          With the v1.13 version

          !image-2019-08-22-11-56-59-572.png!

          Sample xml generating the 'ACTIONS' example tab is attached 
          ioannis Ioannis Moutsatsos made changes -
          Description After upgrading the plugin from v 1.13 the HTML is no longer rendered, but instead it is displayed as raw HTML.

          !image-2019-08-22-11-56-28-540.png!

          With the v1.13 version

          !image-2019-08-22-11-56-59-572.png!

          Sample xml generating the 'ACTIONS' example tab is attached 
          After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML.

          !image-2019-08-22-11-56-28-540.png!

          With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href

          !image-2019-08-22-11-56-59-572.png!

          Sample xml generating the 'ACTIONS' example tab is attached 
          ioannis Ioannis Moutsatsos made changes -
          Summary HTML in report no longer renders but displays as raw HTML HTML in report displays as raw HTML if CDATA terms are used
          ioannis Ioannis Moutsatsos added a comment - - edited

          After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

           

          They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

          Finally a workaround is offered, which I'm using until the plugin is fixed. See https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

          ioannis Ioannis Moutsatsos added a comment - - edited After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening  The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'   They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.' Finally a workaround is offered, which I'm using until the plugin is fixed. See  https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities
          ioannis Ioannis Moutsatsos made changes -
          Summary HTML in report displays as raw HTML if CDATA terms are used Report displays raw HTML if CDATA terms are used
          olejara Adam Olejar added a comment -

          How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

           

          olejara Adam Olejar added a comment - How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.  

          olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

          java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          ioannis Ioannis Moutsatsos added a comment - olejara you can apply the setting at the command used to startup Jenkins. This is what my command line looks like: java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          People

            Unassigned Unassigned
            ioannis Ioannis Moutsatsos
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: