Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Component/s: active-choices-plugin, antisamy-markup-formatter-plugin
-
Labels:None
-
Environment:Jenkins 2.219
Active Choices (uno-choice) v2.0
OWASP Markup Formatter Plugin (antisamy-markup-formatter-plugin) v1.8/v2.0
-
Similar Issues:
Description
With Active Choices and OWASP Markup Formatter Plugin v2.0 installed, "input" elements are being stripped from "Formatted HTML" parameters. This is not an issue with OWASP Markup Formatter Plugin v1.8. Since this is one of the main use-cases of the Active Choices plugin, I assume this is a bug. There also doesn't seem to be a way to configure the markup formatter that the Active Choices plugin uses.
Attached are screenshots of the parameter config, the working "input" field with v1.8, and the missing input field with v2.0.
Attachments
Activity
That's interesting. I got
Result Markup Formatter Version: 2.0 Formatted: ''
I tried setting up security, without luck. I still couldn't reproduce the issue. I tried to upgrade the Jenkins version in pom.xml to the latest LTS version. The new UI is neat, but broke active choices (I think I saw that coming from another issue about replacing tablesby divs).
Then I ran out of time for testing it sorry. Next time I have some spare time to work on the plugin I will try running the LTS war with the latest version instead.
Things that I am concerned when reviewing the PR:
1. need to properly reproduce the issue before merging and releasing it
2. would be good to get someone - if possible - from Jenkins security team to confirm the plugin won't be blocked. I think the markup plugin was added due to a CVE with active choices that removed the plugin from update center. That's something that we need to try to avoid.
3. update docs about it
Cheers
Bruno
Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox? It only uses the markup sanitization when the groovy sandbox is used. I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215
Andrew Potter
added a comment - Bruno P. Kinoshita it looks like you got the right output in the script console, are you sure the job was using the groovy sandbox? It only uses the markup sanitization when the groovy sandbox is used. I'm not sure if you saw but I have a repo that uses the jenkins docker image to reproduce the issue: https://github.com/apottere/JENKINS-62215 Fixed in 2.4. Thanks Andrew Potter
In 2.4
Bruno P. Kinoshita can you try running the following in your script console?
That gives the following result on my test instance:
And when I downgrade the plugins:
Markup Formatter Version: 1.8 Formatted: '<input type="text" name="value" value="bar">'AFAICT it looks like formatting with RawHtmlMarkupFormatter is unavoidable when using the groovy sandbox, per this line: https://github.com/biouno/uno-choice-plugin/blob/master/src/main/java/org/biouno/unochoice/model/GroovyScript.java#L174