-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Jenkins 1.407
-
Powered by SuggestiMate
Raw HTML codes are displayed on many pages.
- is duplicated by
-
JENKINS-9418 Broken links in builds and console output since 1.407
-
- Resolved
-
-
JENKINS-9427 full log link is wrong
-
- Resolved
-
-
JENKINS-9432 HTML links are not being rendered
-
- Resolved
-
-
JENKINS-9419 "Show all" link is defect at build console
-
- Resolved
-
-
JENKINS-9425 Create new jobs link is broken for new install
-
- Resolved
-
[JENKINS-9426] Raw HTML codes are displayed since 1.407
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Run/console.jelly
http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
Log:
JENKINS-9426 fixed broken html.
Integrated in jenkins_main_trunk #708
JENKINS-9426 get rid of the unwanted escape for XSS.
Seiji Sogabe : a903b3abd6f58f72429c752e73d5c7ba69728d25
Files :
- core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
- core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
- core/src/main/resources/hudson/model/LoadStatistics/main.jelly
- core/src/main/resources/hudson/model/Hudson/_cli.jelly
- core/src/main/resources/lib/hudson/scriptConsole.jelly
- core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
- core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
- core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
Integrated in jenkins_main_trunk #709
JENKINS-9426 fixed broken html.
Seiji Sogabe : eb7292e1a2137d9defaadc91eda2de853dda6fdd
Files :
- core/src/main/resources/hudson/model/Run/console.jelly
- core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
- core/src/main/resources/hudson/model/AllView/noJob.jelly
There's something wrong at bit deeper level.
The literal use of ${%...} shouldn't require any escaping change, but looking at some of the fix, it is clearly not the case. I'm trying to determine what I missed here.
In any case I'm feeling we need an out of cycle 1.408 to address this... My sincere apologies.
I figured out what's going on.
There are org.jvnet.hudson:commons-jelly and there's now org.jenkins-ci:commons-jelly. As they have different groupIDs, Maven think of them as different artifacts, both ships in the war, and which one "wins" in the classloader at runtime is rather undeterministic.
So it must be that our RC soak run with the right version, but for some environments, the bad one wins, and this fiasco ensues.
I'll write a Maven enforcer rule to catch this.
This also means that some of the the "fixes" later made (such as 6523693e804bd786bc74a0354b3326ec2a8a0323) was actually unnecessary (even though they aren't wrong.) I'm thinking of mandating XSS prevention PI in all jelly views in the core, so I'd like to restore them.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
Log:
recording JENKINS-9426 fix for the out-of-cycle 1.408 release
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
Log:
recording JENKINS-9426 fix for the out-of-cycle 1.408 release
Integrated in jenkins_main_trunk #714
recording JENKINS-9426 fix for the out-of-cycle 1.408 release
Revert "JENKINS-9426 fixed broken html."
Revert "JENKINS-9426 get rid of the unwanted escape for XSS."
Kohsuke Kawaguchi : 31e7daea9bbeda121439d977527e0b4dfd5250d5
Files :
- changelog.html
Kohsuke Kawaguchi : a35e06c32c9304c24f973f3b359de7dddb30992d
Files :
- core/src/main/resources/hudson/model/AllView/noJob.jelly
- core/src/main/resources/hudson/model/Run/console.jelly
- core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
Kohsuke Kawaguchi : d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
Files :
- core/src/main/resources/hudson/model/LoadStatistics/main.jelly
- core/src/main/resources/hudson/model/Hudson/_cli.jelly
- core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
- core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
- core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
- core/src/main/resources/lib/hudson/scriptConsole.jelly
- core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
- core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
There is still raw HTML code in 1.408, (at least) in the update center.
For example:
Checkstyle Plugin
This plugin generates the trend report for <a href='http://checkstyle.sourceforge.net/'>Checkstyle</a>, an open source static code analysis program.
It is ok in "Installed" tab, but not "updates" and "availlable"
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/PluginManager/table.jelly
http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
Log:
JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/description.jelly
core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
Log:
JENKINS-9426 Fixed Ras HTML. Cause description.
@ssogabe
Warn, I think there is "vaalue=" instead of "value=" in your diff (ignore me if this is an ignorant remark).
Integrated in jenkins_main_trunk #719
JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
Seiji Sogabe : 02a77ab01edd2751b0be4cea073a648dc05f7010
Files :
- core/src/main/resources/hudson/PluginManager/table.jelly
Integrated in jenkins_main_trunk #720
JENKINS-9426 Fixed Ras HTML. Cause description.
Seiji Sogabe : e31f505087bae56ca97063185a3333a4475a44f7
Files :
- core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
- core/src/main/resources/hudson/model/Cause/description.jelly
This issue is not "fixed"
As kk commented above, when using the escape-by-default='true' pi and localized properties, the markup should not be escaped - as per https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention
To demonstrate the change in behaviour from 1.407 onwards, install this slightly modified Hello world builder into 1.406 and have a look at the label in the global config (or 'Say hello world' build step). Both of these labels will be displayed on two lines. Now install the same plugin in any later version, and the labels will be displayed on one line with a nice <br /> in between.
https://github.com/bap2000/jenkins-can-haz-markup/blob/master/can-haz-markup.hpi
If you don't trust the binary, the source is here https://github.com/bap2000/jenkins-can-haz-markup
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/lib/form/entry.jelly
http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
Log:
JENKINS-9426 Don't escape a title of the entry tag.
Integrated in jenkins_main_trunk #773
JENKINS-9426 Don't escape a title of the entry tag.
Seiji Sogabe : 7501670ca2fa40ea85cc77b6073429dcbfeb18a4
Files :
- core/src/main/resources/lib/form/entry.jelly
Looks like this fix is incomplete, so I'm reopening. On the "Nodes" page, I see the following literal text in the "response time" column of the table which shows the status of the various Jenkins slaves:
<span class=error><img src='/static/1193576e/images/none.gif' height=16 width=1>Time out for last 1 try</span>
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
Log:
[FIXED JENKINS-9426] avoid double-escape here
Integrated in jenkins_main_trunk #789
[FIXED JENKINS-9426] avoid double-escape here
Kohsuke Kawaguchi : e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
Files :
- core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/PluginManager/table.jelly
http://jenkins-ci.org/commit/jenkins/9c237c30dbb866e70239fad501a64aff320cc4a2
Log:
JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
(cherry picked from commit 02a77ab01edd2751b0be4cea073a648dc05f7010)
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/description.jelly
core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
http://jenkins-ci.org/commit/jenkins/32dd80a7ac22fbc0f434c4cbeb0626e36f503a7c
Log:
JENKINS-9426 Fixed Ras HTML. Cause description.
(cherry picked from commit e31f505087bae56ca97063185a3333a4475a44f7)
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/lib/form/entry.jelly
http://jenkins-ci.org/commit/jenkins/56162ff55166a39b2fdf25d54bd773c26b29318d
Log:
JENKINS-9426 Don't escape a title of the entry tag.
(cherry picked from commit 7501670ca2fa40ea85cc77b6073429dcbfeb18a4)
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
http://jenkins-ci.org/commit/jenkins/486130d389939f52fbfd0219d0968b3fd8a65488
Log:
[FIXED JENKINS-9426] avoid double-escape here
(cherry picked from commit e14c13cdf04e8b9b8871dd15cedefdf42e08fe29)
Compare: https://github.com/jenkinsci/jenkins/compare/afcb555...486130d
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
Log:
JENKINS-9426 get rid of the unwanted escape for XSS.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Run/console.jelly
http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
Log:
JENKINS-9426 fixed broken html.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
Log:
recording JENKINS-9426 fix for the out-of-cycle 1.408 release
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Run/console.jelly
http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d
Log:
Revert "JENKINS-9426 fixed broken html."
This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
Log:
Revert "JENKINS-9426 get rid of the unwanted escape for XSS."
This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/model/Run/console.jelly
core/src/main/resources/hudson/model/View/noJob.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4
Log:
Those 5 commits revert the unnecessary fixes to JENKINS-9426.
It actually contains one hunk that is necessary, but I'll merge it from
the 1.408 branch.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/PluginManager/table.jelly
http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
Log:
JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/description.jelly
core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
Log:
JENKINS-9426 Fixed Ras HTML. Cause description.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/lib/form/entry.jelly
http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
Log:
JENKINS-9426 Don't escape a title of the entry tag.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
Log:
[FIXED JENKINS-9426] avoid double-escape here
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
Log:
JENKINS-9426 get rid of the unwanted escape for XSS.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Run/console.jelly
http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
Log:
JENKINS-9426 fixed broken html.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
Log:
recording JENKINS-9426 fix for the out-of-cycle 1.408 release
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Run/console.jelly
http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d
Log:
Revert "JENKINS-9426 fixed broken html."
This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
Log:
Revert "JENKINS-9426 get rid of the unwanted escape for XSS."
This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/model/Run/console.jelly
core/src/main/resources/hudson/model/View/noJob.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4
Log:
Those 5 commits revert the unnecessary fixes to JENKINS-9426.
It actually contains one hunk that is necessary, but I'll merge it from
the 1.408 branch.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/PluginManager/table.jelly
http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
Log:
JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/description.jelly
core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
Log:
JENKINS-9426 Fixed Ras HTML. Cause description.
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/lib/form/entry.jelly
http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
Log:
JENKINS-9426 Don't escape a title of the entry tag.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
Log:
[FIXED JENKINS-9426] avoid double-escape here
Code changed in jenkins
User: Seiji Sogabe
Path:
core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
core/src/main/resources/hudson/model/Hudson/_cli.jelly
core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
core/src/main/resources/hudson/model/LoadStatistics/main.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
core/src/main/resources/lib/hudson/scriptConsole.jelly
http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
Log:
JENKINS-9426get rid of the unwanted escape for XSS.