search

jenkinsci / badge-plugin

Jenkins Badge plugin
https://plugins.jenkins.io/badge/
MIT License
32 stars 43 forks source link

Createsummary removes some html tags #18

Closed Spinus1 closed 5 years ago

Spinus1 commented 5 years ago

Hello I'm using createSummary with Jenkins pipeline. It seems that some html tags are remove even if I set escapeHtml to false.

Example: def mydetails="details..." def html= "<details><summary>Summary</summary> <li>list item</li>"+mydetails+"</details>" createSummary icon: 'orange-square.png', escapeHtml: false, text: html, id: "summaryID"

Output: in pipeline summary page I can see that the \

  • list item\
    • is present, but html tags \
    and \ are removed.

    BR, Alessio

    bakito commented 5 years ago

    Hi Alessio

    This is a side effect of the security Issue I got in this plugin. See https://github.com/jenkinsci/badge-plugin/commit/63a7744cef33338e62898576a50bcc521d76ba9f and https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906

    With this finding I had to introduce a html filter to prevent malicious HTML. I also tried a different sanitizer (https://github.com/OWASP/java-html-sanitizer) but it also filters your tags.

    Regards

    Marc

    Spinus1 commented 5 years ago

    Hello Marc, I'm not sure if I get it right, but badge-plugin is using plugin antisamy-markup-formatter, that, if I well understood is based on Owasp antisamy, that should be configurable:

    But, sincerely, from this policy files I cannot understand if it can be tuned to whitelist Details & Summary elements...if I have some free time at work I'll test just the Owasp antisamy library to see how it handles this element.

    It is not a big issue working without Details & Summary elements, but I think that having collapsible element is pipeline summary could improve readability when you need to store lot of information.

    BR, Alessio

    bakito commented 5 years ago

    Hi Alessio

    I'm also thinking of adding a global settings property to disable the html sanitize step. By default it would be active, but could be disabled if needed.

    Regards,

    Marc

    patbur commented 5 years ago

    Hello Marc,

    Adding a global settings property would be very appreciated.

    Regards Patrik

    bakito commented 5 years ago

    Will be realeased with 1.8

    with 1.8 you can disable the HTML Filtering on the golbal configuration