• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Jenkins 1.407

      Raw HTML codes are displayed on many pages.

          [JENKINS-9426] Raw HTML codes are displayed since 1.407

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
          Log:
          JENKINS-9426 get rid of the unwanted escape for XSS.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25 Log: JENKINS-9426 get rid of the unwanted escape for XSS.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Log:
          JENKINS-9426 fixed broken html.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd Log: JENKINS-9426 fixed broken html.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #708
          JENKINS-9426 get rid of the unwanted escape for XSS.

          Seiji Sogabe : a903b3abd6f58f72429c752e73d5c7ba69728d25
          Files :

          • core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          • core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          • core/src/main/resources/hudson/model/Hudson/_cli.jelly
          • core/src/main/resources/lib/hudson/scriptConsole.jelly
          • core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          • core/src/main/resources/hudson/model/Cause/UserCause/description.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #708 JENKINS-9426 get rid of the unwanted escape for XSS. Seiji Sogabe : a903b3abd6f58f72429c752e73d5c7ba69728d25 Files : core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly

          dogfood added a comment -

          Integrated in jenkins_main_trunk #709
          JENKINS-9426 fixed broken html.

          Seiji Sogabe : eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Files :

          • core/src/main/resources/hudson/model/Run/console.jelly
          • core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          • core/src/main/resources/hudson/model/AllView/noJob.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #709 JENKINS-9426 fixed broken html. Seiji Sogabe : eb7292e1a2137d9defaadc91eda2de853dda6fdd Files : core/src/main/resources/hudson/model/Run/console.jelly core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly

          There's something wrong at bit deeper level.

          The literal use of ${%...} shouldn't require any escaping change, but looking at some of the fix, it is clearly not the case. I'm trying to determine what I missed here.

          In any case I'm feeling we need an out of cycle 1.408 to address this... My sincere apologies.

          Kohsuke Kawaguchi added a comment - There's something wrong at bit deeper level. The literal use of ${%...} shouldn't require any escaping change, but looking at some of the fix, it is clearly not the case. I'm trying to determine what I missed here. In any case I'm feeling we need an out of cycle 1.408 to address this... My sincere apologies.

          Kohsuke Kawaguchi added a comment - - edited

          I figured out what's going on.

          There are org.jvnet.hudson:commons-jelly and there's now org.jenkins-ci:commons-jelly. As they have different groupIDs, Maven think of them as different artifacts, both ships in the war, and which one "wins" in the classloader at runtime is rather undeterministic.

          So it must be that our RC soak run with the right version, but for some environments, the bad one wins, and this fiasco ensues.

          I'll write a Maven enforcer rule to catch this.

          This also means that some of the the "fixes" later made (such as 6523693e804bd786bc74a0354b3326ec2a8a0323) was actually unnecessary (even though they aren't wrong.) I'm thinking of mandating XSS prevention PI in all jelly views in the core, so I'd like to restore them.

          Kohsuke Kawaguchi added a comment - - edited I figured out what's going on. There are org.jvnet.hudson:commons-jelly and there's now org.jenkins-ci:commons-jelly. As they have different groupIDs, Maven think of them as different artifacts, both ships in the war, and which one "wins" in the classloader at runtime is rather undeterministic. So it must be that our RC soak run with the right version, but for some environments, the bad one wins, and this fiasco ensues. I'll write a Maven enforcer rule to catch this. This also means that some of the the "fixes" later made (such as 6523693e804bd786bc74a0354b3326ec2a8a0323) was actually unnecessary (even though they aren't wrong.) I'm thinking of mandating XSS prevention PI in all jelly views in the core, so I'd like to restore them.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
          Log:
          recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5 Log: recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
          Log:
          recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5 Log: recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          dogfood added a comment -

          Integrated in jenkins_main_trunk #714
          recording JENKINS-9426 fix for the out-of-cycle 1.408 release
          Revert "JENKINS-9426 fixed broken html."
          Revert "JENKINS-9426 get rid of the unwanted escape for XSS."

          Kohsuke Kawaguchi : 31e7daea9bbeda121439d977527e0b4dfd5250d5
          Files :

          • changelog.html

          Kohsuke Kawaguchi : a35e06c32c9304c24f973f3b359de7dddb30992d
          Files :

          • core/src/main/resources/hudson/model/AllView/noJob.jelly
          • core/src/main/resources/hudson/model/Run/console.jelly
          • core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly

          Kohsuke Kawaguchi : d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
          Files :

          • core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          • core/src/main/resources/hudson/model/Hudson/_cli.jelly
          • core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          • core/src/main/resources/lib/hudson/scriptConsole.jelly
          • core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          • core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #714 recording JENKINS-9426 fix for the out-of-cycle 1.408 release Revert " JENKINS-9426 fixed broken html." Revert " JENKINS-9426 get rid of the unwanted escape for XSS." Kohsuke Kawaguchi : 31e7daea9bbeda121439d977527e0b4dfd5250d5 Files : changelog.html Kohsuke Kawaguchi : a35e06c32c9304c24f973f3b359de7dddb30992d Files : core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly Kohsuke Kawaguchi : d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0 Files : core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly

          There is still raw HTML code in 1.408, (at least) in the update center.

          For example:

          Checkstyle Plugin
          This plugin generates the trend report for <a href='http://checkstyle.sourceforge.net/'>Checkstyle</a>, an open source static code analysis program. 

          It is ok in "Installed" tab, but not "updates" and "availlable"

          Sylvain Veyrié added a comment - There is still raw HTML code in 1.408, (at least) in the update center. For example: Checkstyle Plugin This plugin generates the trend report for <a href='http://checkstyle.sourceforge.net/'>Checkstyle</a>, an open source static code analysis program.  It is ok in "Installed" tab, but not "updates" and "availlable"

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/PluginManager/table.jelly
          http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
          Log:
          JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/PluginManager/table.jelly http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010 Log: JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/description.jelly
          core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
          http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
          Log:
          JENKINS-9426 Fixed Ras HTML. Cause description.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/description.jelly core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7 Log: JENKINS-9426 Fixed Ras HTML. Cause description.

          @ssogabe

          Warn, I think there is "vaalue=" instead of "value=" in your diff (ignore me if this is an ignorant remark).

          Sylvain Veyrié added a comment - @ssogabe Warn, I think there is "vaalue=" instead of "value=" in your diff (ignore me if this is an ignorant remark).

          dogfood added a comment -

          Integrated in jenkins_main_trunk #719
          JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          Seiji Sogabe : 02a77ab01edd2751b0be4cea073a648dc05f7010
          Files :

          • core/src/main/resources/hudson/PluginManager/table.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #719 JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab. Seiji Sogabe : 02a77ab01edd2751b0be4cea073a648dc05f7010 Files : core/src/main/resources/hudson/PluginManager/table.jelly

          dogfood added a comment -

          Integrated in jenkins_main_trunk #720
          JENKINS-9426 Fixed Ras HTML. Cause description.

          Seiji Sogabe : e31f505087bae56ca97063185a3333a4475a44f7
          Files :

          • core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
          • core/src/main/resources/hudson/model/Cause/description.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #720 JENKINS-9426 Fixed Ras HTML. Cause description. Seiji Sogabe : e31f505087bae56ca97063185a3333a4475a44f7 Files : core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly core/src/main/resources/hudson/model/Cause/description.jelly

          sogabe added a comment - @Sylvain Veyrié Thanks! https://github.com/jenkinsci/jenkins/commit/2894e0e7ba07c46ce4b6ebcb875a8cdee7620a10#core/src/main/resources/hudson/model/Cause/description.jelly

          sogabe added a comment -

          If you find Rah HTML code, please reopen.

          sogabe added a comment - If you find Rah HTML code, please reopen.

          bap added a comment - - edited

          This issue is not "fixed"

          As kk commented above, when using the escape-by-default='true' pi and localized properties, the markup should not be escaped - as per https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention

          To demonstrate the change in behaviour from 1.407 onwards, install this slightly modified Hello world builder into 1.406 and have a look at the label in the global config (or 'Say hello world' build step). Both of these labels will be displayed on two lines. Now install the same plugin in any later version, and the labels will be displayed on one line with a nice <br /> in between.

          https://github.com/bap2000/jenkins-can-haz-markup/blob/master/can-haz-markup.hpi

          If you don't trust the binary, the source is here https://github.com/bap2000/jenkins-can-haz-markup

          bap added a comment - - edited This issue is not "fixed" As kk commented above, when using the escape-by-default='true' pi and localized properties, the markup should not be escaped - as per https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention To demonstrate the change in behaviour from 1.407 onwards, install this slightly modified Hello world builder into 1.406 and have a look at the label in the global config (or 'Say hello world' build step). Both of these labels will be displayed on two lines. Now install the same plugin in any later version, and the labels will be displayed on one line with a nice <br /> in between. https://github.com/bap2000/jenkins-can-haz-markup/blob/master/can-haz-markup.hpi If you don't trust the binary, the source is here https://github.com/bap2000/jenkins-can-haz-markup

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/lib/form/entry.jelly
          http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
          Log:
          JENKINS-9426 Don't escape a title of the entry tag.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/lib/form/entry.jelly http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4 Log: JENKINS-9426 Don't escape a title of the entry tag.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #773
          JENKINS-9426 Don't escape a title of the entry tag.

          Seiji Sogabe : 7501670ca2fa40ea85cc77b6073429dcbfeb18a4
          Files :

          • core/src/main/resources/lib/form/entry.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #773 JENKINS-9426 Don't escape a title of the entry tag. Seiji Sogabe : 7501670ca2fa40ea85cc77b6073429dcbfeb18a4 Files : core/src/main/resources/lib/form/entry.jelly

          bap added a comment -

          Woo hoo! Thanks. Trunk is good

          bap added a comment - Woo hoo! Thanks. Trunk is good

          Looks like this fix is incomplete, so I'm reopening. On the "Nodes" page, I see the following literal text in the "response time" column of the table which shows the status of the various Jenkins slaves:

          <span class=error><img src='/static/1193576e/images/none.gif' height=16 width=1>Time out for last 1 try</span>

          Matthew Webber added a comment - Looks like this fix is incomplete, so I'm reopening. On the "Nodes" page, I see the following literal text in the "response time" column of the table which shows the status of the various Jenkins slaves: <span class=error><img src='/static/1193576e/images/none.gif' height=16 width=1>Time out for last 1 try</span>

          The fix is incomplete. See previous comment. Thanks.

          Matthew Webber added a comment - The fix is incomplete. See previous comment. Thanks.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
          http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
          Log:
          [FIXED JENKINS-9426] avoid double-escape here

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29 Log: [FIXED JENKINS-9426] avoid double-escape here

          dogfood added a comment -

          Integrated in jenkins_main_trunk #789
          [FIXED JENKINS-9426] avoid double-escape here

          Kohsuke Kawaguchi : e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
          Files :

          • core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #789 [FIXED JENKINS-9426] avoid double-escape here Kohsuke Kawaguchi : e14c13cdf04e8b9b8871dd15cedefdf42e08fe29 Files : core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/PluginManager/table.jelly
          http://jenkins-ci.org/commit/jenkins/9c237c30dbb866e70239fad501a64aff320cc4a2
          Log:
          JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.
          (cherry picked from commit 02a77ab01edd2751b0be4cea073a648dc05f7010)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/PluginManager/table.jelly http://jenkins-ci.org/commit/jenkins/9c237c30dbb866e70239fad501a64aff320cc4a2 Log: JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab. (cherry picked from commit 02a77ab01edd2751b0be4cea073a648dc05f7010)

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/description.jelly
          core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
          http://jenkins-ci.org/commit/jenkins/32dd80a7ac22fbc0f434c4cbeb0626e36f503a7c
          Log:
          JENKINS-9426 Fixed Ras HTML. Cause description.
          (cherry picked from commit e31f505087bae56ca97063185a3333a4475a44f7)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/description.jelly core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly http://jenkins-ci.org/commit/jenkins/32dd80a7ac22fbc0f434c4cbeb0626e36f503a7c Log: JENKINS-9426 Fixed Ras HTML. Cause description. (cherry picked from commit e31f505087bae56ca97063185a3333a4475a44f7)

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/lib/form/entry.jelly
          http://jenkins-ci.org/commit/jenkins/56162ff55166a39b2fdf25d54bd773c26b29318d
          Log:
          JENKINS-9426 Don't escape a title of the entry tag.
          (cherry picked from commit 7501670ca2fa40ea85cc77b6073429dcbfeb18a4)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/lib/form/entry.jelly http://jenkins-ci.org/commit/jenkins/56162ff55166a39b2fdf25d54bd773c26b29318d Log: JENKINS-9426 Don't escape a title of the entry tag. (cherry picked from commit 7501670ca2fa40ea85cc77b6073429dcbfeb18a4)

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
          http://jenkins-ci.org/commit/jenkins/486130d389939f52fbfd0219d0968b3fd8a65488
          Log:
          [FIXED JENKINS-9426] avoid double-escape here
          (cherry picked from commit e14c13cdf04e8b9b8871dd15cedefdf42e08fe29)

          Compare: https://github.com/jenkinsci/jenkins/compare/afcb555...486130d

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly http://jenkins-ci.org/commit/jenkins/486130d389939f52fbfd0219d0968b3fd8a65488 Log: [FIXED JENKINS-9426] avoid double-escape here (cherry picked from commit e14c13cdf04e8b9b8871dd15cedefdf42e08fe29) Compare: https://github.com/jenkinsci/jenkins/compare/afcb555...486130d

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
          Log:
          JENKINS-9426 get rid of the unwanted escape for XSS.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25 Log: JENKINS-9426 get rid of the unwanted escape for XSS.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Log:
          JENKINS-9426 fixed broken html.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd Log: JENKINS-9426 fixed broken html.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
          Log:
          recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5 Log: recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d
          Log:
          Revert "JENKINS-9426 fixed broken html."

          This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d Log: Revert " JENKINS-9426 fixed broken html." This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
          Log:
          Revert "JENKINS-9426 get rid of the unwanted escape for XSS."

          This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0 Log: Revert " JENKINS-9426 get rid of the unwanted escape for XSS." This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          core/src/main/resources/hudson/model/View/noJob.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4
          Log:
          Those 5 commits revert the unnecessary fixes to JENKINS-9426.
          It actually contains one hunk that is necessary, but I'll merge it from
          the 1.408 branch.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/model/Run/console.jelly core/src/main/resources/hudson/model/View/noJob.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4 Log: Those 5 commits revert the unnecessary fixes to JENKINS-9426 . It actually contains one hunk that is necessary, but I'll merge it from the 1.408 branch.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/PluginManager/table.jelly
          http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
          Log:
          JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/PluginManager/table.jelly http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010 Log: JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/description.jelly
          core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
          http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
          Log:
          JENKINS-9426 Fixed Ras HTML. Cause description.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/description.jelly core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7 Log: JENKINS-9426 Fixed Ras HTML. Cause description.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/lib/form/entry.jelly
          http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
          Log:
          JENKINS-9426 Don't escape a title of the entry tag.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/lib/form/entry.jelly http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4 Log: JENKINS-9426 Don't escape a title of the entry tag.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
          http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
          Log:
          [FIXED JENKINS-9426] avoid double-escape here

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29 Log: [FIXED JENKINS-9426] avoid double-escape here

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
          Log:
          JENKINS-9426 get rid of the unwanted escape for XSS.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25 Log: JENKINS-9426 get rid of the unwanted escape for XSS.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Log:
          JENKINS-9426 fixed broken html.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd Log: JENKINS-9426 fixed broken html.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5
          Log:
          recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/31e7daea9bbeda121439d977527e0b4dfd5250d5 Log: recording JENKINS-9426 fix for the out-of-cycle 1.408 release

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d
          Log:
          Revert "JENKINS-9426 fixed broken html."

          This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/a35e06c32c9304c24f973f3b359de7dddb30992d Log: Revert " JENKINS-9426 fixed broken html." This reverts commit eb7292e1a2137d9defaadc91eda2de853dda6fdd.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0
          Log:
          Revert "JENKINS-9426 get rid of the unwanted escape for XSS."

          This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/d9c157e04d49a7d24cd1ce7c163be01ec96f5fc0 Log: Revert " JENKINS-9426 get rid of the unwanted escape for XSS." This reverts commit a903b3abd6f58f72429c752e73d5c7ba69728d25.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          core/src/main/resources/hudson/model/View/noJob.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4
          Log:
          Those 5 commits revert the unnecessary fixes to JENKINS-9426.
          It actually contains one hunk that is necessary, but I'll merge it from
          the 1.408 branch.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck_ja.properties core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/model/Run/console.jelly core/src/main/resources/hudson/model/View/noJob.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/0ecb07bd36f334e906c0e0a71da38fd62f9ce5d4 Log: Those 5 commits revert the unnecessary fixes to JENKINS-9426 . It actually contains one hunk that is necessary, but I'll merge it from the 1.408 branch.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/PluginManager/table.jelly
          http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010
          Log:
          JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/PluginManager/table.jelly http://jenkins-ci.org/commit/jenkins/02a77ab01edd2751b0be4cea073a648dc05f7010 Log: JENKINS-9426 Fixed Raw HTML code. "updates" and "available" tab.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/description.jelly
          core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly
          http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7
          Log:
          JENKINS-9426 Fixed Ras HTML. Cause description.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/description.jelly core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly http://jenkins-ci.org/commit/jenkins/e31f505087bae56ca97063185a3333a4475a44f7 Log: JENKINS-9426 Fixed Ras HTML. Cause description.

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/lib/form/entry.jelly
          http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4
          Log:
          JENKINS-9426 Don't escape a title of the entry tag.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/lib/form/entry.jelly http://jenkins-ci.org/commit/jenkins/7501670ca2fa40ea85cc77b6073429dcbfeb18a4 Log: JENKINS-9426 Don't escape a title of the entry tag.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly
          http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29
          Log:
          [FIXED JENKINS-9426] avoid double-escape here

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/resources/hudson/node_monitors/ResponseTimeMonitor/column.jelly http://jenkins-ci.org/commit/jenkins/e14c13cdf04e8b9b8871dd15cedefdf42e08fe29 Log: [FIXED JENKINS-9426] avoid double-escape here

            sogabe sogabe
            sogabe sogabe
            Votes:
            4 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: