Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55355

HTML no longer is parsed in Build Pipeline view after core security update

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Component/s: build-pipeline-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.46 and newer
      Latest Build Pipeline plugin
    • Similar Issues:

      Description

      Issue:
      When trying to create HTML within a build pipeline view(through either parameters or descriptions etc.) the HTML is no longer parsed by the markup formatter

      Steps to reproduce:

      • Create a new Jenkins instance at least version 2.46
      • Install the build pipeline view plugin
      • Create 2 jobs(upstream and downstream)
      • Add a parameter to one of those jobs which has HTML(I used a string parameter)
      • Create a new build pipeline view to start with the upstream job
      • make sure you are displaying the parameters and variables within the view

      Observed behavior:
      The HTML code is not parsed correctly and it treats it as a literal string

      Expected behavior:
      The HTML code is parsed by the markup formatter and it appears as parsed HTML

      You can see with version 2.45 of Jenkins that the issue is not present and the HTML is parsed which means this security update is the cause. Additionally nowhere else within the instance is unable to parse this HTML code but on that view.

      HTML code I used:

      <html>
      <header><title>This is title</title></header>
      <body>
      <h1 style="background-color:MediumSeaGreen;">Hello world</h1>
      </body>
      </html>
      

        Attachments

          Activity

          Hide
          dalvizu Dan Alvizu added a comment -

          This is intentional update for security reasons: failure to escape allows attacks like XSS or XSRF. There may be a way to disable this behavior, or you can revert to less secure versions of Jenkins, if you desire this behavior, but I would not recommend it.

          Show
          dalvizu Dan Alvizu added a comment - This is intentional update for security reasons: failure to escape allows attacks like XSS or XSRF. There may be a way to disable this behavior, or you can revert to less secure versions of Jenkins, if you desire this behavior, but I would not recommend it.

            People

            • Assignee:
              dalvizu Dan Alvizu
              Reporter:
              ataylor Alex Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: