Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5135

Adopt <?jelly escape-by-default='true'?> everywhere

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      As described in Wiki, I've just integrated a new version of commons-jelly that makes it easier to prevent XSS vulnerabilities. I need to push the use of this throughout the core.

      This task also includes a modification to maven-hpi-plugin, so that the archetype will generate view files with this PI. The test harness should be also modified to make sure that every view file has this PI (with a switch to disable this test in case plugin devs really don't want to bother.)

      In the first few versions, apply this in a limited place manually in the core to verify we have no unexpected regressions. Then update the test harness so that the core will use it everywhere.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Mark Waite
            Path:
            src/main/resources/hudson/plugins/git/ChangelogToBranchOptions/config.jelly
            src/main/resources/hudson/plugins/git/GitBranchTokenMacro/help.jelly
            src/main/resources/hudson/plugins/git/GitChangeSetList/digest.jelly
            src/main/resources/hudson/plugins/git/GitChangeSetList/index.jelly
            src/main/resources/hudson/plugins/git/GitPublisher/config.jelly
            src/main/resources/hudson/plugins/git/GitRevisionBuildParameters/config.jelly
            src/main/resources/hudson/plugins/git/GitRevisionTokenMacro/help.jelly
            src/main/resources/hudson/plugins/git/GitSCM/config.jelly
            src/main/resources/hudson/plugins/git/GitSCM/global.jelly
            src/main/resources/hudson/plugins/git/GitSCM/project-changes.jelly
            src/main/resources/hudson/plugins/git/GitTagAction/tagForm.jelly
            src/main/resources/hudson/plugins/git/UserMergeOptions/config.jelly
            src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/BitbucketWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/CGit/config.jelly
            src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitLab/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitList/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/GithubWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitoriousWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/KilnGit/config.jelly
            src/main/resources/hudson/plugins/git/browser/Phabricator/config.jelly
            src/main/resources/hudson/plugins/git/browser/RedmineWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/RhodeCode/config.jelly
            src/main/resources/hudson/plugins/git/browser/Stash/config.jelly
            src/main/resources/hudson/plugins/git/browser/ViewGitWeb/config.jelly
            src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPath/config.jelly
            src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPaths/config.jelly
            src/main/resources/hudson/plugins/git/util/BuildData/index.jelly
            src/main/resources/hudson/plugins/git/util/BuildData/summary.jelly
            src/main/resources/index.jelly
            src/main/resources/jenkins/plugins/git/GitSCMSource/config-detail.jelly
            http://jenkins-ci.org/commit/git-plugin/07defeb47056a90a591d21c18b3fc77691527d0c
            Log:
            Escape jelly output by default - see JENKINS-5135

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/resources/hudson/plugins/git/ChangelogToBranchOptions/config.jelly src/main/resources/hudson/plugins/git/GitBranchTokenMacro/help.jelly src/main/resources/hudson/plugins/git/GitChangeSetList/digest.jelly src/main/resources/hudson/plugins/git/GitChangeSetList/index.jelly src/main/resources/hudson/plugins/git/GitPublisher/config.jelly src/main/resources/hudson/plugins/git/GitRevisionBuildParameters/config.jelly src/main/resources/hudson/plugins/git/GitRevisionTokenMacro/help.jelly src/main/resources/hudson/plugins/git/GitSCM/config.jelly src/main/resources/hudson/plugins/git/GitSCM/global.jelly src/main/resources/hudson/plugins/git/GitSCM/project-changes.jelly src/main/resources/hudson/plugins/git/GitTagAction/tagForm.jelly src/main/resources/hudson/plugins/git/UserMergeOptions/config.jelly src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly src/main/resources/hudson/plugins/git/browser/BitbucketWeb/config.jelly src/main/resources/hudson/plugins/git/browser/CGit/config.jelly src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly src/main/resources/hudson/plugins/git/browser/GitLab/config.jelly src/main/resources/hudson/plugins/git/browser/GitList/config.jelly src/main/resources/hudson/plugins/git/browser/GitWeb/config.jelly src/main/resources/hudson/plugins/git/browser/GithubWeb/config.jelly src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly src/main/resources/hudson/plugins/git/browser/GitoriousWeb/config.jelly src/main/resources/hudson/plugins/git/browser/KilnGit/config.jelly src/main/resources/hudson/plugins/git/browser/Phabricator/config.jelly src/main/resources/hudson/plugins/git/browser/RedmineWeb/config.jelly src/main/resources/hudson/plugins/git/browser/RhodeCode/config.jelly src/main/resources/hudson/plugins/git/browser/Stash/config.jelly src/main/resources/hudson/plugins/git/browser/ViewGitWeb/config.jelly src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPath/config.jelly src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPaths/config.jelly src/main/resources/hudson/plugins/git/util/BuildData/index.jelly src/main/resources/hudson/plugins/git/util/BuildData/summary.jelly src/main/resources/index.jelly src/main/resources/jenkins/plugins/git/GitSCMSource/config-detail.jelly http://jenkins-ci.org/commit/git-plugin/07defeb47056a90a591d21c18b3fc77691527d0c Log: Escape jelly output by default - see JENKINS-5135
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Mark Waite
            Path:
            src/main/resources/hudson/plugins/git/ChangelogToBranchOptions/config.jelly
            src/main/resources/hudson/plugins/git/GitBranchTokenMacro/help.jelly
            src/main/resources/hudson/plugins/git/GitChangeSetList/digest.jelly
            src/main/resources/hudson/plugins/git/GitChangeSetList/index.jelly
            src/main/resources/hudson/plugins/git/GitPublisher/config.jelly
            src/main/resources/hudson/plugins/git/GitRevisionBuildParameters/config.jelly
            src/main/resources/hudson/plugins/git/GitRevisionTokenMacro/help.jelly
            src/main/resources/hudson/plugins/git/GitSCM/config.jelly
            src/main/resources/hudson/plugins/git/GitSCM/global.jelly
            src/main/resources/hudson/plugins/git/GitSCM/project-changes.jelly
            src/main/resources/hudson/plugins/git/GitTagAction/tagForm.jelly
            src/main/resources/hudson/plugins/git/UserMergeOptions/config.jelly
            src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/BitbucketWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/CGit/config.jelly
            src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitLab/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitList/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/GithubWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly
            src/main/resources/hudson/plugins/git/browser/GitoriousWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/KilnGit/config.jelly
            src/main/resources/hudson/plugins/git/browser/Phabricator/config.jelly
            src/main/resources/hudson/plugins/git/browser/RedmineWeb/config.jelly
            src/main/resources/hudson/plugins/git/browser/RhodeCode/config.jelly
            src/main/resources/hudson/plugins/git/browser/Stash/config.jelly
            src/main/resources/hudson/plugins/git/browser/ViewGitWeb/config.jelly
            src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPath/config.jelly
            src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPaths/config.jelly
            src/main/resources/hudson/plugins/git/util/BuildData/index.jelly
            src/main/resources/hudson/plugins/git/util/BuildData/summary.jelly
            src/main/resources/index.jelly
            src/main/resources/jenkins/plugins/git/GitSCMSource/config-detail.jelly
            http://jenkins-ci.org/commit/git-plugin/f297338702395e53f2f4db8d9070de15bc770890
            Log:
            Escape jelly output by default - see JENKINS-5135

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/resources/hudson/plugins/git/ChangelogToBranchOptions/config.jelly src/main/resources/hudson/plugins/git/GitBranchTokenMacro/help.jelly src/main/resources/hudson/plugins/git/GitChangeSetList/digest.jelly src/main/resources/hudson/plugins/git/GitChangeSetList/index.jelly src/main/resources/hudson/plugins/git/GitPublisher/config.jelly src/main/resources/hudson/plugins/git/GitRevisionBuildParameters/config.jelly src/main/resources/hudson/plugins/git/GitRevisionTokenMacro/help.jelly src/main/resources/hudson/plugins/git/GitSCM/config.jelly src/main/resources/hudson/plugins/git/GitSCM/global.jelly src/main/resources/hudson/plugins/git/GitSCM/project-changes.jelly src/main/resources/hudson/plugins/git/GitTagAction/tagForm.jelly src/main/resources/hudson/plugins/git/UserMergeOptions/config.jelly src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly src/main/resources/hudson/plugins/git/browser/BitbucketWeb/config.jelly src/main/resources/hudson/plugins/git/browser/CGit/config.jelly src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly src/main/resources/hudson/plugins/git/browser/GitLab/config.jelly src/main/resources/hudson/plugins/git/browser/GitList/config.jelly src/main/resources/hudson/plugins/git/browser/GitWeb/config.jelly src/main/resources/hudson/plugins/git/browser/GithubWeb/config.jelly src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly src/main/resources/hudson/plugins/git/browser/GitoriousWeb/config.jelly src/main/resources/hudson/plugins/git/browser/KilnGit/config.jelly src/main/resources/hudson/plugins/git/browser/Phabricator/config.jelly src/main/resources/hudson/plugins/git/browser/RedmineWeb/config.jelly src/main/resources/hudson/plugins/git/browser/RhodeCode/config.jelly src/main/resources/hudson/plugins/git/browser/Stash/config.jelly src/main/resources/hudson/plugins/git/browser/ViewGitWeb/config.jelly src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPath/config.jelly src/main/resources/hudson/plugins/git/extensions/impl/SparseCheckoutPaths/config.jelly src/main/resources/hudson/plugins/git/util/BuildData/index.jelly src/main/resources/hudson/plugins/git/util/BuildData/summary.jelly src/main/resources/index.jelly src/main/resources/jenkins/plugins/git/GitSCMSource/config-detail.jelly http://jenkins-ci.org/commit/git-plugin/f297338702395e53f2f4db8d9070de15bc770890 Log: Escape jelly output by default - see JENKINS-5135
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: danielputerman
            Path:
            src/main/resources/com/applitools/jenkins/AbstractApplitoolsStatusDisplayAction/summary.jelly
            src/main/resources/com/applitools/jenkins/ApplitoolsBuildWrapper/config.jelly
            http://jenkins-ci.org/commit/applitools-eyes-plugin/7d95e9ae04d7aa0671c51cce8dd4453381b265f2
            Log:
            Updated Jelly files according to Jenkins requirements for XSS protection.

            See: https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention
            Additional details: https://issues.jenkins-ci.org/browse/JENKINS-5135

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: danielputerman Path: src/main/resources/com/applitools/jenkins/AbstractApplitoolsStatusDisplayAction/summary.jelly src/main/resources/com/applitools/jenkins/ApplitoolsBuildWrapper/config.jelly http://jenkins-ci.org/commit/applitools-eyes-plugin/7d95e9ae04d7aa0671c51cce8dd4453381b265f2 Log: Updated Jelly files according to Jenkins requirements for XSS protection. See: https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention Additional details: https://issues.jenkins-ci.org/browse/JENKINS-5135
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Lukasz Jader
            Path:
            src/main/resources/hudson/scm/SubversionChangeLogSet/digest.jelly
            src/main/resources/hudson/scm/SubversionChangeLogSet/index.jelly
            http://jenkins-ci.org/commit/subversion-plugin/4fe42befe197c81ee5d652e061f26b55017dbbfd
            Log:
            JENKINS-36521 Print raw (not HTML escaped) commit messages

            Commit decorators add clicable <a> links to issue IDs on build summary page,
            but the security mechanism preventing XSS in .jelly,
            escapes the HTML tags for .jelly files with:
            <?jelly escape-by-default='true'?>

            After the change, annotated commit messages are printed raw,
            without HTML escaping.

            Used method will be consistent with change in hudson/scm/SCM/project-changes.jelly
            introduced in https://github.com/jenkinsci/jenkins/commit/41ab84fe0a1512fe52347d55fb58445174636896

            Additional details:
            https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention
            https://issues.jenkins-ci.org/browse/JENKINS-5135

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Lukasz Jader Path: src/main/resources/hudson/scm/SubversionChangeLogSet/digest.jelly src/main/resources/hudson/scm/SubversionChangeLogSet/index.jelly http://jenkins-ci.org/commit/subversion-plugin/4fe42befe197c81ee5d652e061f26b55017dbbfd Log: JENKINS-36521 Print raw (not HTML escaped) commit messages Commit decorators add clicable <a> links to issue IDs on build summary page, but the security mechanism preventing XSS in .jelly, escapes the HTML tags for .jelly files with: <?jelly escape-by-default='true'?> After the change, annotated commit messages are printed raw, without HTML escaping. Used method will be consistent with change in hudson/scm/SCM/project-changes.jelly introduced in https://github.com/jenkinsci/jenkins/commit/41ab84fe0a1512fe52347d55fb58445174636896 Additional details: https://wiki.jenkins-ci.org/display/JENKINS/Jelly+and+XSS+prevention https://issues.jenkins-ci.org/browse/JENKINS-5135
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Gareth Western
            Path:
            pom.xml
            src/main/resources/index.jelly
            src/main/resources/jenkins/plugins/mqttnotification/MqttNotifier/config.jelly
            http://jenkins-ci.org/commit/mqtt-notification-plugin/3641cc3e1ecf61a1de7e48d7d0a4eba396c4fba1
            Log:
            JENKINS-5135 jelly escape by default

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gareth Western Path: pom.xml src/main/resources/index.jelly src/main/resources/jenkins/plugins/mqttnotification/MqttNotifier/config.jelly http://jenkins-ci.org/commit/mqtt-notification-plugin/3641cc3e1ecf61a1de7e48d7d0a4eba396c4fba1 Log: JENKINS-5135 jelly escape by default

              People

              • Assignee:
                Unassigned
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: