[JIRA] (JENKINS-59056) Report displays raw HTML if CDATA terms are used

0 views
Skip to first unread message

imoutsatsos@msn.com (JIRA)

unread,
Aug 23, 2019, 4:00:02 PM8/23/19
to jenkinsc...@googlegroups.com
Ioannis Moutsatsos updated an issue
 
Jenkins / Bug JENKINS-59056
Report displays raw HTML if CDATA terms are used
Change By: Ioannis Moutsatsos
Summary: HTML in report Report displays as raw HTML if CDATA terms are used
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

imoutsatsos@msn.com (JIRA)

unread,
Aug 23, 2019, 4:22:02 PM8/23/19
to jenkinsc...@googlegroups.com
Ioannis Moutsatsos edited a comment on Bug JENKINS-59056
 
Re: Report displays raw HTML if CDATA terms are used
After some investigation and head-banging I came across what seems to be the exact cause of this bug: [https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+2018-10-10+Stapler+security+hardening] The Summary Display Plugin is specifically listed and the 'impact/behavior' is listed as 'Raw HTML is shown if CDATA terms are used'

 

They also claim that 'We expect that (affected) plugins will adapt pretty quickly to this change, as the fix is typically straightforward.'

Finally a workaround is offered, which I'm using until the plugin is fixed. See [https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-to-prevent-xss-vulnerabilities]

adam.olejar@mavenir.com (JIRA)

unread,
Jan 18, 2020, 8:35:03 AM1/18/20
to jenkinsc...@googlegroups.com

How did you set org.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault to false ? I Cant find that setting.

 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

imoutsatsos@msn.com (JIRA)

unread,
Apr 17, 2020, 12:12:03 PM4/17/20
to jenkinsc...@googlegroups.com

Adam Olejar you can apply the setting at the command used to startup Jenkins. This is what my command line looks like:

java -Xrs -Xmx2048m -XX:MaxPermSize=512m -Dhudson.model.DirectoryBrowserSupport.CSP= -Dorg.kohsuke.stapler.jelly.CustomJellyContext.escapeByDefault="false" -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "path/to/jenkins/jenkins.war" --httpPort=8080
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages