Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19676

TAP test description does not get escaped

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      One of my tests outputs text that contains what looks like an HTML tag:

      ok 19 - msg is "defO01<<TRUNCATED>>"

      The Description column for this test on the TAP Extended Test Results page looks like this:

      - msg is "defO01<>"

      When I browse the source HTML for this section of the page, the text from the TAP output is definitely not being escaped. This could lead to cross-site scripting issues.

        Attachments

          Activity

          Hide
          kinow Bruno P. Kinoshita added a comment - - edited

          Hi, sorry for taking so long to fix this issue. Working on it at the moment.

          Here's the Jelly docs about XSS. I didn't know about this neat trick. A single line to fix this security issue. I'll check if we can add it in a few other files as well, without breaking anything.

          https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention

          Show
          kinow Bruno P. Kinoshita added a comment - - edited Hi, sorry for taking so long to fix this issue. Working on it at the moment. Here's the Jelly docs about XSS. I didn't know about this neat trick. A single line to fix this security issue. I'll check if we can add it in a few other files as well, without breaking anything. https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Bruno P. Kinoshita
          Path:
          src/main/resources/org/tap4j/plugin/tags/comments.jelly
          src/main/resources/org/tap4j/plugin/tags/directive.jelly
          src/main/resources/org/tap4j/plugin/tags/line.jelly
          src/main/resources/org/tap4j/plugin/tags/status.jelly
          src/main/resources/org/tap4j/plugin/tags/yaml.jelly
          http://jenkins-ci.org/commit/tap-plugin/763784d63b0eccb846c976b3392bdd28ed40b7e1
          Log:
          [FIXED JENKINS-19676] Add jelly header to prevent XSS in taglib pages

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Bruno P. Kinoshita Path: src/main/resources/org/tap4j/plugin/tags/comments.jelly src/main/resources/org/tap4j/plugin/tags/directive.jelly src/main/resources/org/tap4j/plugin/tags/line.jelly src/main/resources/org/tap4j/plugin/tags/status.jelly src/main/resources/org/tap4j/plugin/tags/yaml.jelly http://jenkins-ci.org/commit/tap-plugin/763784d63b0eccb846c976b3392bdd28ed40b7e1 Log: [FIXED JENKINS-19676] Add jelly header to prevent XSS in taglib pages
          Hide
          kinow Bruno P. Kinoshita added a comment -

          Released in 1.24

          Show
          kinow Bruno P. Kinoshita added a comment - Released in 1.24
          Hide
          anjohnson Andrew Johnson added a comment -

          I can confirm this is now fixed, thanks very much!

          Show
          anjohnson Andrew Johnson added a comment - I can confirm this is now fixed, thanks very much!
          Hide
          kinow Bruno P. Kinoshita added a comment -

          Thanks for confirming it Andrew. I will try to start another development cycle this weekend to clean some more of the issues in the tap-plugin. Then I will tackle the big ones, that involve performance, threads, classloaders, and will require more time :o) so stay tuned for more releases, possibly a 2.0 in the next days/weeks

          Bruno

          Show
          kinow Bruno P. Kinoshita added a comment - Thanks for confirming it Andrew. I will try to start another development cycle this weekend to clean some more of the issues in the tap-plugin. Then I will tackle the big ones, that involve performance, threads, classloaders, and will require more time :o) so stay tuned for more releases, possibly a 2.0 in the next days/weeks Bruno

            People

            • Assignee:
              kinow Bruno P. Kinoshita
              Reporter:
              anjohnson Andrew Johnson
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: