Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59056

Report displays raw HTML if CDATA terms are used

    Details

    • Similar Issues:

      Description

      After upgrading JENKINS from v1.121.3 to v1.187 CDATA generated HTML is no longer rendered, but instead it is displayed as raw HTML.

      With Jenkins  version 1.121 teh CDATA renders the HTML corectly to an image href

      Sample xml generating the 'ACTIONS' example tab is attached 

        Attachments

          Activity

          Hide
          ioannis Ioannis Moutsatsos added a comment - - edited

          After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

           

          They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

          Finally a workaround is offered, which I'm using until the plugin is fixed. See https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities

          Show
          ioannis Ioannis Moutsatsos added a comment - - edited After some investigation and head-banging I came across what seems to be the exact cause of this bug: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening  The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'   They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.' Finally a workaround is offered, which I'm using until the plugin is fixed. See  https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities
          Hide
          olejara Adam Olejar added a comment -

          How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

           

          Show
          olejara Adam Olejar added a comment - How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.  
          Hide
          ioannis Ioannis Moutsatsos added a comment -

          Adam Olejar you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

          java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

          Show
          ioannis Ioannis Moutsatsos added a comment - Adam Olejar you can apply the setting at the command used to startup Jenkins. This is what my command line looks like: java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080

            People

            • Assignee:
              Unassigned
              Reporter:
              ioannis Ioannis Moutsatsos
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: