[JIRA] [git-plugin] (JENKINS-29075) List of changes escapes HTML output of jira-plugin

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer created an issue

Jenkins / JENKINS-29075 List of changes escapes HTML output of jira-plugin Issue Type: Bug Assignee: Nicolas De Loof Attachments: html-escaped.png Components: git-plugin, jira-plugin Created: 25/Jun/15 6:53 AM Environment: Linux, Jira 4.1.x, Jenkins 1.616, jira-plugin 1.41, git-plugin 2.3.5 Priority: Minor Reporter: Carsten Pfeiffer We're using the jira-plugin to link git-commits to jira issues. Recently the "Changes" box does not properly display the referenced Jira issues as html-links anymore. It escapes the HTML generated by jira-plugin like this: HTML-escaping the git commit message is probably a good idea, but there should be a way for the jira-plugin to create properly displayed links to the referenced Jira issues. Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin Any chance you changed the global settings for security, specifically those related to the handling of HTML embedded in content? Alternately, did you recently upgrade from an older version of the git plugin or the git client plugin? A security fix was applied to git plugin 2.3.4 to prevent malicious code from being inserted into the Jenkins pages through a commit message to the git repository. That might have affected what you are seeing.

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Thanks for you quick response, Mark. We didn't change the security settings – the current value for the markup formatter is "Safe HTML". The other available value is "Escaped HTML". I just changed the setting to Escaped HTML once and back to Safe HTML again to rule out a weird configuration bug, but I doubt that this is the reason. I guess it's rather the security fix for the git plugin "Escape HTML generated into jelly pages with escape="true". The last version without this fix is 2.3.2; I'll see if I can install it to verify this. It would be nice if the escaping could be done at a different level, i.e. before the jira-plugin has processed the message, or if it would use the "Safe HTML" formatter that would only remove potentially malicious tags like <script>.

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Carsten Pfeiffer I'm not sure what changed that caused the behavior to be visible now when it was not visible before. Did you recently update your git plugin to the most recent release?

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Yes, I did recently update. And I can confirm that git-plugin 2.3.2 produces correct HTML output. So the change "Escape HTML generated into jelly pages with escape="true"" is mostly likely the cause for this.

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

It looks like I was a bit too quick. When I click on "Changes", I get a page "Changes from Git" with a summary table. That one is OK, i.e. the links to Jira issues are good. The page of an individual build that also lists the changes still shows escaped HTML, even with 2.3.2. I tested this with a fresh build, so I can't display information recorded with the previous (newer) git plugin.

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk assigned an issue to Radek Antoniuk

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Radek Antoniuk Assignee: Nicolas De Loof Radek Antoniuk

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin I've just tested with Jenkins 1.609.3, git-plugin 2.4.0, jira-plugin 2.0.2 and it works for me. Also tried downgrading the plugins, still was unable to replicate. To note, I don't have "Safe HTML" option, AFAIR this is an old naming, now I have "Escaped HTML" and "Raw HTML".

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Thanks for trying it. I upgraded to latest Jenkins (1.631) and git-plugin 2.4.0. I had to keep the jira-plugin at 1.41, because this jira doesn't have the REST API. The "git changes" block of individual builds still shows HTML code as before. I checked the "Safe HTML" option in Global Security settings. I only have the options "Safe HTML" and "Plain text" (Jenkins with German translation). Changing to "Plain text" doesn't help, the result is still HTML code. Any other idea where this might come from?

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

I have now tested with JIRA 6.3.0, jira-plugin 1.41, git-plugin 2.3.5 and 2.4.0, tried switching Raw/Escaped HTML and always worked fine for me. I made a screenshot with what I can see, it looks a bit different but that might be the new UI. Not sure why you still see "Safe HTML" and "Plain text"..

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

My testing. Change By: Radek Antoniuk Attachment: j.png

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin I'm beginning to think that this is related to another plugin then. E.g. one of https://wiki.jenkins-ci.org/display/JENKINS/Multiple+SCMs+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Change+Log+History+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Changes+Since+Last+Success+Plugin

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Can you try disabling some of them to see if it fixes it?

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Yes, will do, but cannot do it today anymore.

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

FWIW, in a first test, I couldn't reproduce the problem on a new test machine. I'll dig some more to find out the cause.

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk resolved as Incomplete

I'm closing it for now, feel free to reopen if you find anything interesting.

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Radek Antoniuk Status: Open Resolved Resolution: Incomplete

Add Comment

[ferruccio.bongianni@gmail.com (JIRA)]

ferruccio bongianni commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin Hello, I've got the same problem; has it been tackled / resolved? Thanks Ferruccio

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[medianick@gmail.com (JIRA)]

Nick Jones commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Same issue here. Jenkins 1.651.3 LTS, Git Client plugin 1.19.6, Git plugin 2.5.0, JIRA plugin 2.2.1, JIRA Plugin for Jenkins (from Marvelution) 1.5.5, Subversion plugin 2.6. The Recent Changes link for the job (listing recent builds and their changes, at /job/ {job name}/changes) shows the JIRA links properly (unescaped), but the changes shown on the main page for each build (at /job/{job name} / {build number} ) shows the escaped URLs.

Add Comment

[medianick@gmail.com (JIRA)]

Nick Jones reopened an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Nick Jones Resolution: Incomplete Status: Resolved Reopened

Add Comment

[medianick@gmail.com (JIRA)]

Nick Jones edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Same issue here. Jenkins 1.651.3 LTS, Git Client plugin 1.19.6, Git plugin 2.5.0, JIRA plugin 2.2.1, JIRA Plugin for Jenkins (from Marvelution) 1.5.5, Subversion plugin 2.6.

The Recent Changes link for the job (listing recent builds and their changes, at /job/ {job name} _name_ /changes) shows the JIRA links properly (unescaped), but the changes shown on the main page for each build (at /job/ {job name} _name_ / {build number} _id_ ) shows the escaped URLs.

Add Comment

[jbb.ve@free.fr (JIRA)]

Sébastien Sébastien updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Sébastien Sébastien Attachment: ok.png

Add Comment

[jbb.ve@free.fr (JIRA)]

Sébastien Sébastien commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin I got the same problem with Jenkins ver. 2.7.2 JIRA plugin 2.2.1 Unable to render embedded object: File (nok.png) not found.

Add Comment

[jbb.ve@free.fr (JIRA)]

Sébastien Sébastien updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Sébastien Sébastien Attachment: nok.png

Add Comment

[jbb.ve@free.fr (JIRA)]

Sébastien Sébastien edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

I got the same problem with

* Jenkins ver. 2.7.2 * JIRA plugin 2.2.1 !ok.png|thumbnail! !nok.png|thumbnail!

Add Comment

[andrei@k-tz.com (JIRA)]

Andrei Barychev updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Andrei Barychev Attachment: JIRA-5.4-vs-JIRA-6.2.png

Add Comment

[andrei@k-tz.com (JIRA)]

Andrei Barychev commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin I'm having this problem for a couple of months. My case may be helpful for the plugin developers though. I have two JIRA servers. The first is running JIRA 5.4, with both SOAP and REST APIs enabled. The other is running JIRA 6.2, with REST API only. I never had a problem with Jenkins displaying issues' details for projects hosted in JIRA 5.4 projects. However, Jenkins displays the escaped HTML for the issues in projects hosted by JIRA 6.2. Please note, that the escaped HTML is displayed only on Build Status and Build Changes pages. The same issues are displayed correctly on the Project Changes page.

Add Comment

[andrei@k-tz.com (JIRA)]

Andrei Barychev edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

I'm having this problem for a couple of months. My case may be helpful for the plugin developers though.

I have *two* JIRA servers. The first is running JIRA 5.4, with both SOAP and REST APIs enabled. The other is running JIRA 6.2, with REST API only. I never had a problem with Jenkins displaying issues' details for projects hosted in by JIRA 5.4 projects . However, Jenkins displays the escaped HTML for the issues in projects hosted by JIRA 6.2. Please note, that the {color:red}escaped HTML is displayed{color} only on *Build Status* and *Build Changes* pages. The {color:#14892c}same issues are displayed correctly{color} on the *Project Changes* page. !JIRA-5.4-vs-JIRA-6.2.png|thumbnail!

Add Comment

[andrei@k-tz.com (JIRA)]

Andrei Barychev edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

{color:#d04437}*Please disregard the below comment. I was totally wrong. After switching the Jenkins projects to the other JIRA, the 5.4 issues also appear in escaped HTML. My bad.*{color} I 'm having this problem for a couple of months. My case may be helpful for the plugin developers though.

I have *two* JIRA servers. The first is running JIRA 5.4, with both SOAP and REST APIs enabled. The other is running JIRA 6.2, with REST API only.

I never had a problem with Jenkins displaying issues' details for projects hosted by JIRA 5.4. However, Jenkins displays the escaped HTML for the issues in projects hosted by JIRA 6.2.

Please note, that the {color:red}escaped HTML is displayed{color} only on *Build Status* and *Build Changes* pages. The {color:#14892c}same issues are displayed correctly{color} on the *Project Changes* page. !JIRA-5.4-vs-JIRA-6.2.png|thumbnail!

Add Comment

[carsten.pfeiffer@gebit.de (JIRA)]

Carsten Pfeiffer commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

I just checked again and in our setup, this bug is gone: jenkins 2.8 git-plugin 2.4.4

Add Comment

[jdavis@ipswitch.com (JIRA)]

Jason Davis updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Jason Davis Attachment: p4-changes.png

Add Comment

[jdavis@ipswitch.com (JIRA)]

Jason Davis commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin I've noticed this issue with the P4 plugin. The overall project changes list is OK, but the change report for a single build is still showing the html for the link instead of actually showing the link.

Add Comment

[jdavis@ipswitch.com (JIRA)]

Jason Davis edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

I've noticed this issue with the P4 plugin.  The overall project changes list is OK, but the change report for a single build is still showing the html for the link instead of actually showing the link.

!p4-changes.png|thumbnail! jenkins 2.25, JIRA plugin 2.2.1, p4 plugin 1.4.8

Add Comment

[radek.antoniuk@quiddia.com (JIRA)]

Radek Antoniuk resolved as Cannot Reproduce

Jason, do you mind opening a new issue for P4 as this issue was concerning git integration and it seems is currently resolved. Thanks!

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Radek Antoniuk Status: Reopened Resolved Resolution: Cannot Reproduce

Add Comment

[ljaderdev@gmail.com (JIRA)]

Łukasz Jąder commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin This issue should be fixed in git-plugin since 2.3.4 - by commit: https://github.com/jenkinsci/git-plugin/commit/930ac05035e5292dbdeea4f2135881a0d3f03060 Sébastien DK your job uses SVN, and subversion-plugin still needs the fix to be applied: https://github.com/jenkinsci/subversion-plugin/pull/174 Probably other SCM like Perforce, or "SCM combining" plugins should be analyzed, if they are also affected. Hope that helps.

Add Comment

[ben.herfurth@develop-group.de (JIRA)]

Ben Herfurth commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

When will the fix for svn be released?

Add Comment

[ben.herfurth@develop-group.de (JIRA)]

Ben Herfurth edited a comment on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

When will the fix for the svn plugin be released?

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin

Conversations on subversion plugin PR174 with Daniel Beck and Oleg Nenashev indicate that the change has been approved but not yet merged.

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite updated an issue

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Mark Waite Component/s: subversion-plugin

Add Comment

[ben.herfurth@develop-group.de (JIRA)]

Ben Herfurth commented on JENKINS-29075

Re: List of changes escapes HTML output of jira-plugin ok. thank you for the information! Did not find them by myself :<

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite closed an issue as Cannot Reproduce

Jenkins / JENKINS-29075

List of changes escapes HTML output of jira-plugin

Change By: Mark Waite Status: Resolved Closed

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)