Status: In Progress (View Workflow)
Since Release 2.5 and implementation of SECURITY-2008 - CVE-2020-2290 we can't use the '+' character in our single select list.
We have a "Active Choises Parameter" with Choice Type "Single Select" to choose a version. Our versions have the format "<version>+build.<counter>".
The "+" character will be escaped to "+".
Is it possible, that this is a bug?
grossmane yup, we are intentionally sanitizing the values returned when the sandbox is enabled for security.
We had an CVE in the past where certain values when not escaped could lead to security issues in the head node.
You can disable that by unchecking the sandbox option. The code related is here:
Our SafeHtmlExtendedMarkupFormatter is based on RawHtmlMarkupFormatter, which replaces `+` by the escaped code. But Jenkins' default formatter is the EscapedMarkupFormatter. I think we could either modify SafeHtmlExtendedMarkupFormatter to be more lenient as EscapedMarkupFormatter. Just need to figure out how to do that without causing another security CVE bug.
I reproduced the issue, but only when the "Groovy Sandbox" option is enabled for the script. Let me take a look what's going on.