Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22028

HTML in job description does not get rendered (all html tags escaped)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      Ubuntu, Tomcat 7.0.52, jenkins war distribution
    • Similar Issues:

      Description

      We have html job descriptions for most of our jobs. Since upgrading to the latest jenkins version 1.553 (from 1.538) the html tags do not get rendered. Instead plain html code is shown.

      The same applies for the "Preview" when editing the job description.

        Attachments

          Issue Links

            Activity

            Hide
            cb372 cb372 added a comment -

            Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious:

            Split the “raw HTML” markup formatter out of core into a bundled plugin.

            Show
            cb372 cb372 added a comment - Same problem here after upgrading to 1.553. This entry from the changelog looks suspicious: Split the “raw HTML” markup formatter out of core into a bundled plugin.
            Hide
            belpk K P added a comment - - edited

            Same issue since 1.553.

            Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability...

            Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.

            Show
            belpk K P added a comment - - edited Same issue since 1.553. Images (from /userContent) and links aren't rendered anymore, only shown as plain HTML. Which is hindering usability... Addition: this not only applies to job descriptions, but also elsewhere, e.g. the system message that can be configured in the system-wide configuration settings and gets displayed on the top page.
            Hide
            albers Harald Albers added a comment -

            In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin.
            This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML, which escapes all HTML.
            You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.

            Show
            albers Harald Albers added a comment - In 1.553 the Raw HTML Formatter was moved to the new antisamy-markup-formatter plugin. This seems to have changed the default HTML formatter from Raw HTML to Escaped HTML , which escapes all HTML. You can restore the original behavior by selecting Raw HTML as the Markup Formatter on the Configure Global Security page.
            Hide
            gpatten Grant Patten added a comment -

            I'm seeing this same issue with 1.553.

            On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits. I'm not seeing a Markup Formatter option on that page.

            Show
            gpatten Grant Patten added a comment - I'm seeing this same issue with 1.553. On the Configure Global Security page my only options are Enable security and Prevent Cross Site Request Forgery Exploits . I'm not seeing a Markup Formatter option on that page.
            Hide
            albers Harald Albers added a comment -

            The Markup Formatter option is only available if you Enable security.

            It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML.

            I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits,

            Show
            albers Harald Albers added a comment - The Markup Formatter option is only available if you Enable security . It's a bit strange that you first have to enable security in order to change the formatter to a potentially dangerous one. This would make more sense if the default formatter were Escaped HTML . I think the default formatter should be Raw HTML and the Markup Formatter option should be moved directly to the Configure Global Security page, just like Prevent Cross Site Request Forgery Exploits ,
            Hide
            stefanthurnherr Stefan Thurnherr added a comment -

            The workaround described above worked for us:
            "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option).

            Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".

            Show
            stefanthurnherr Stefan Thurnherr added a comment - The workaround described above worked for us: "Configure Global Security" -> Check "Enable Security" -> Choose Markup Formatter = "Raw HTML", then pressing "Save" (without selecting any other option). Interestingly, when going to "Configure Global Security" again, the checkbox "Enable Security" is unchecked again. But still the default for Markup Formatter has been changed to "Raw HTML". So I agree that the the option Markup Formatter should probably be moved out of "Enable Security".
            Hide
            pablaasmo Per Arnold Blaasmo added a comment -

            I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not.
            I do have RAW HTML enabled and other HTML is rendered OK.

            Show
            pablaasmo Per Arnold Blaasmo added a comment - I am not sure this is related, but I can't see an iframe in the description get rendered any more. I was rendered before and now it is not. I do have RAW HTML enabled and other HTML is rendered OK.
            Hide
            exelerus Edin Mujkanovic added a comment -

            We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.

            Show
            exelerus Edin Mujkanovic added a comment - We have the same problem with iframes defined in the description fields not being rendered. All other HTML works fine though.
            Hide
            wesleyarchbell Wesley Archbell added a comment -

            I have the same issue when migrating from 1.538 to 1.560

            Show
            wesleyarchbell Wesley Archbell added a comment - I have the same issue when migrating from 1.538 to 1.560
            Hide
            bindwood shans zoe added a comment -

            I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well

            Show
            bindwood shans zoe added a comment - I have the same problem on the Jenkinswhich install on Windows(sinice update to 1.555 or later, I think) , but the Jenkins which install on suse works well
            Hide
            danielbeck Daniel Beck added a comment -

            Per Arnold Blaasmo: Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.

            Show
            danielbeck Daniel Beck added a comment - Per Arnold Blaasmo : Contrary to what the name indicates, "Raw HTML" doesn't allow potentially unsafe HTML (like iframes). Use the Anything goes Formatter for this.
            Hide
            danielbeck Daniel Beck added a comment -

            Allow configuring the markup formatter without requiring "Enable Security":
            https://github.com/jenkinsci/jenkins/pull/1235

            Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior:
            https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1

            Show
            danielbeck Daniel Beck added a comment - Allow configuring the markup formatter without requiring "Enable Security": https://github.com/jenkinsci/jenkins/pull/1235 Change the display name and description of the bundled 'Raw HTML' formatter plugin to match its behavior: https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/1
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3374
            [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664)
            JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc)

            Result = SUCCESS
            daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664
            Files :

            • core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            • core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            • core/src/main/java/jenkins/model/Jenkins.java

            Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc
            Files :

            • changelog.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3374 [FIX JENKINS-22028] Allow MarkupFormatter without enabling security (Revision ac3a5cd61461c5f7f063c57fba81a5aec6409664) JENKINS-22028 Noting merge of #1235. (Revision f3943a4ef707697e4cd512463c81b07f9bec95bc) Result = SUCCESS daniel-beck : ac3a5cd61461c5f7f063c57fba81a5aec6409664 Files : core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java Jesse Glick : f3943a4ef707697e4cd512463c81b07f9bec95bc Files : changelog.html
            Hide
            danielbeck Daniel Beck added a comment -

            The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection).

            Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin.

            In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this.

            If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.

            Show
            danielbeck Daniel Beck added a comment - The currently unreleased Jenkins 1.564 will allow selection of a markup formatter even with security disabled (similar to the CSRF protection). Additionally, changed name and description of 'Raw HTML' formatter to better reflect what it actually does. Will be part of the next release of the antisamy-markup-formatter plugin. In case of no existing security configuration, the default was changed from Raw/Safe HTML to Escaped HTML in 1.553. I don't think this is bad enough to warrant additional backwards compatibility changes as it's easily changed in the config, especially in 1.564 onward. Therefore I'm closing this. If you experience this issue, update to Jenkins 1.564 or newer and select 'Raw HTML' or 'Safe HTML' on the Configure Global Security page.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664
            Log:
            [FIX JENKINS-22028] Allow MarkupFormatter without enabling security

            Given the current default of 'Escaped HTML', it makes no sense
            to require users to 'Enable Security' to set up a less secure
            alternative. So show it on the global security configuration page
            on top level.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/ac3a5cd61461c5f7f063c57fba81a5aec6409664 Log: [FIX JENKINS-22028] Allow MarkupFormatter without enabling security Given the current default of 'Escaped HTML', it makes no sense to require users to 'Enable Security' to set up a less secure alternative. So show it on the global security configuration page on top level.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/security/GlobalSecurityConfiguration.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy
            http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16
            Log:
            Merge branch 'JENKINS-22028' of github.com:daniel-beck/jenkins

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/GlobalSecurityConfiguration.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/GlobalSecurityConfiguration/index.groovy http://jenkins-ci.org/commit/jenkins/4770a7beab4fd8c776bd556998557fcefeb35a16 Log: Merge branch ' JENKINS-22028 ' of github.com:daniel-beck/jenkins
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/f3943a4ef707697e4cd512463c81b07f9bec95bc Log: JENKINS-22028 Noting merge of #1235. Compare: https://github.com/jenkinsci/jenkins/compare/b8c3f61c907d...f3943a4ef707
            Hide
            bazzargh bazzargh added a comment -

            The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)

            Show
            bazzargh bazzargh added a comment - The fix above is in 1.565, not 1.564 (for the benefit of those like me wondering why the 1.564 upgrade didn't fix it)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            changelog.html
            http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf
            Log:
            JENKINS-22028 was only fixed in 1.565

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/9f3e1d8181e1b7ff50ef13e7d5cc3ab335b34eaf Log: JENKINS-22028 was only fixed in 1.565
            Hide
            roop_vijay Roop Vijay Singh added a comment -

            I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.

            Show
            roop_vijay Roop Vijay Singh added a comment - I installed the 1.566 ver but still getting the same issue.iframe is not visible in Description.
            Hide
            danielbeck Daniel Beck added a comment -

            Roop Vijay Singh: Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.

            Show
            danielbeck Daniel Beck added a comment - Roop Vijay Singh : Install Anything Goes Formatter Plugin. 'Raw HTML', despite it's name, only allows a safe subset of HTML. Iframes are not considered safe.
            Hide
            roop_vijay Roop Vijay Singh added a comment -

            Thank you Very much Daniel.
            It works.

            Show
            roop_vijay Roop Vijay Singh added a comment - Thank you Very much Daniel. It works.
            Hide
            frvge Frank van Gemeren added a comment -

            I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?

            Show
            frvge Frank van Gemeren added a comment - I'm having the same issue on a relatively new installation. The version number is 1.590. There is only the "Escaped HTML" option in Global Security. I can't see "Safe HTML". Any ideas?
            Hide
            danielbeck Daniel Beck added a comment -

            Make sure Antisamy Markup Formatter plugin is installed and enabled.

            I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.

            Show
            danielbeck Daniel Beck added a comment - Make sure Antisamy Markup Formatter plugin is installed and enabled. I think the almost 20 people watching this would have noticed in the last half year if this wasn't actually fixed and mentioned it. So it's likely that, whatever it is, you're experiencing a different issue. Therefore please file a new issue if the above doesn't work for you, following the advice at https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue . Or even better, ask for troubleshooting advice on the jenkinsci-users mailing list or in IRC first.
            Hide
            frvge Frank van Gemeren added a comment -

            Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.

            Show
            frvge Frank van Gemeren added a comment - Follow-up: I couldn't find Antisamy Plugin anywhere. We fixed it by enabling "OWASP Markup Formatter Plugin". The release notes of 1.553 do not explicitly name this plugin.
            Hide
            danielbeck Daniel Beck added a comment -

            Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.

            Show
            danielbeck Daniel Beck added a comment - Frank: That's the one. "OWASP Markup Formatter Plugin" is what it's called on the UI. Its ID is antisamy-markup-formatter, and its file name (in JENKINS_HOME/plugins) is antisamy-markup-formatter.hpi/jpi, so that's the name by which I know it. Sorry about that.
            Hide
            warden Radek Antoniuk added a comment -

            I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.

            Show
            warden Radek Antoniuk added a comment - I think that the naming of the option is misleading. The "Escaped HTML" suggests that if someone puts properly escaped HTML inside the description, it will get rendered (i.e. interpreted) - whereas it is actually treated as plaintext. Maybe naming the option as plain-text would serve better.
            Hide
            jglick Jesse Glick added a comment -

            Radek Antoniuk file a PR to change the UI labels to refer to “plain text”.

            Show
            jglick Jesse Glick added a comment - Radek Antoniuk file a PR to change the UI labels to refer to “plain text”.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Radek Antoniuk
            Path:
            core/src/main/resources/hudson/markup/Messages.properties
            http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a
            Log:
            JENKINS-22028 - update label to reflect actual behavior

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Radek Antoniuk Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/d758818b09ecd8d3eebebc927409e0ed58b2938a Log: JENKINS-22028 - update label to reflect actual behavior
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/hudson/markup/Messages.properties
            http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d
            Log:
            Merge pull request #1742 from QUIDDIA/master

            JENKINS-22028 update label to reflect actual behavior

            Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/markup/Messages.properties http://jenkins-ci.org/commit/jenkins/107a502db4a55122f9be13ef0e31bebde8fe733d Log: Merge pull request #1742 from QUIDDIA/master JENKINS-22028 update label to reflect actual behavior Compare: https://github.com/jenkinsci/jenkins/compare/76f4c3519b62...107a502db4a5
            Hide
            jsdevel Joseph Spencer added a comment - - edited

            Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2

            Show
            jsdevel Joseph Spencer added a comment - - edited Reopening as the initial fix only changed the display name, not the info message (see screenshot). Verified in 1.625.2
            Show
            jsdevel Joseph Spencer added a comment - Pending PR https://github.com/kogosoftwarellc/jenkins/pull/1
            Hide
            danielbeck Daniel Beck added a comment -

            First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied.

            Second, nobody on this tracker cares about PRs to your own forks of Jenkins.

            Show
            danielbeck Daniel Beck added a comment - First, the message is true. It's just that you did not enable markup formatting, so there's no formatting applied. Second, nobody on this tracker cares about PRs to your own forks of Jenkins.

              People

              • Assignee:
                Unassigned
                Reporter:
                stefanthurnherr Stefan Thurnherr
              • Votes:
                10 Vote for this issue
                Watchers:
                21 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: