Closed Spinus1 closed 5 years ago
Hi Alessio
This is a side effect of the security Issue I got in this plugin. See https://github.com/jenkinsci/badge-plugin/commit/63a7744cef33338e62898576a50bcc521d76ba9f and https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906
With this finding I had to introduce a html filter to prevent malicious HTML. I also tried a different sanitizer (https://github.com/OWASP/java-html-sanitizer) but it also filters your tags.
Regards
Marc
Hello Marc, I'm not sure if I get it right, but badge-plugin is using plugin antisamy-markup-formatter, that, if I well understood is based on Owasp antisamy, that should be configurable:
But, sincerely, from this policy files I cannot understand if it can be tuned to whitelist Details & Summary elements...if I have some free time at work I'll test just the Owasp antisamy library to see how it handles this element.
It is not a big issue working without Details & Summary elements, but I think that having collapsible element is pipeline summary could improve readability when you need to store lot of information.
BR, Alessio
Hi Alessio
I'm also thinking of adding a global settings property to disable the html sanitize step. By default it would be active, but could be disabled if needed.
Regards,
Marc
Hello Marc,
Adding a global settings property would be very appreciated.
Regards Patrik
Will be realeased with 1.8
with 1.8 you can disable the HTML Filtering on the golbal configuration
Hello I'm using createSummary with Jenkins pipeline. It seems that some html tags are remove even if I set escapeHtml to false.
Example:
def mydetails="details..."
def html= "<details><summary>Summary</summary> <li>list item</li>"+mydetails+"</details>"
createSummary icon: 'orange-square.png', escapeHtml: false, text: html, id: "summaryID"
Output: in pipeline summary page I can see that the \
BR, Alessio