• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Jenkins 1.407

      Raw HTML codes are displayed on many pages.

          [JENKINS-9426] Raw HTML codes are displayed since 1.407

          sogabe created issue -
          sogabe made changes -
          Link New: This issue is duplicated by JENKINS-9425 [ JENKINS-9425 ]

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          core/src/main/resources/hudson/model/Hudson/_cli.jelly
          core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          core/src/main/resources/lib/hudson/scriptConsole.jelly
          http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25
          Log:
          JENKINS-9426 get rid of the unwanted escape for XSS.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly http://jenkins-ci.org/commit/jenkins/a903b3abd6f58f72429c752e73d5c7ba69728d25 Log: JENKINS-9426 get rid of the unwanted escape for XSS.
          sogabe made changes -
          Link New: This issue is duplicated by JENKINS-9419 [ JENKINS-9419 ]
          sogabe made changes -
          Link New: This issue is duplicated by JENKINS-9418 [ JENKINS-9418 ]

          Code changed in jenkins
          User: Seiji Sogabe
          Path:
          core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          core/src/main/resources/hudson/model/AllView/noJob.jelly
          core/src/main/resources/hudson/model/Run/console.jelly
          http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Log:
          JENKINS-9426 fixed broken html.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Seiji Sogabe Path: core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/model/Run/console.jelly http://jenkins-ci.org/commit/jenkins/eb7292e1a2137d9defaadc91eda2de853dda6fdd Log: JENKINS-9426 fixed broken html.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #708
          JENKINS-9426 get rid of the unwanted escape for XSS.

          Seiji Sogabe : a903b3abd6f58f72429c752e73d5c7ba69728d25
          Files :

          • core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly
          • core/src/main/resources/hudson/model/LoadStatistics/main.jelly
          • core/src/main/resources/hudson/model/Hudson/_cli.jelly
          • core/src/main/resources/lib/hudson/scriptConsole.jelly
          • core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly
          • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly
          • core/src/main/resources/hudson/model/Cause/UserCause/description.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #708 JENKINS-9426 get rid of the unwanted escape for XSS. Seiji Sogabe : a903b3abd6f58f72429c752e73d5c7ba69728d25 Files : core/src/main/resources/hudson/model/Hudson/fingerprintCheck.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly core/src/main/resources/hudson/model/LoadStatistics/main.jelly core/src/main/resources/hudson/model/Hudson/_cli.jelly core/src/main/resources/lib/hudson/scriptConsole.jelly core/src/main/resources/hudson/model/Cause/UpstreamCause/description.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/success.jelly core/src/main/resources/hudson/model/Cause/UserCause/description.jelly
          sogabe made changes -
          Link New: This issue is duplicated by JENKINS-9427 [ JENKINS-9427 ]

          dogfood added a comment -

          Integrated in jenkins_main_trunk #709
          JENKINS-9426 fixed broken html.

          Seiji Sogabe : eb7292e1a2137d9defaadc91eda2de853dda6fdd
          Files :

          • core/src/main/resources/hudson/model/Run/console.jelly
          • core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly
          • core/src/main/resources/hudson/model/AllView/noJob.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #709 JENKINS-9426 fixed broken html. Seiji Sogabe : eb7292e1a2137d9defaadc91eda2de853dda6fdd Files : core/src/main/resources/hudson/model/Run/console.jelly core/src/main/resources/hudson/model/AbstractItem/noWorkspace.jelly core/src/main/resources/hudson/model/AllView/noJob.jelly

          There's something wrong at bit deeper level.

          The literal use of ${%...} shouldn't require any escaping change, but looking at some of the fix, it is clearly not the case. I'm trying to determine what I missed here.

          In any case I'm feeling we need an out of cycle 1.408 to address this... My sincere apologies.

          Kohsuke Kawaguchi added a comment - There's something wrong at bit deeper level. The literal use of ${%...} shouldn't require any escaping change, but looking at some of the fix, it is clearly not the case. I'm trying to determine what I missed here. In any case I'm feeling we need an out of cycle 1.408 to address this... My sincere apologies.

            sogabe sogabe
            sogabe sogabe
            Votes:
            4 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: