Closed sephiroth-j closed 2 years ago
Im not sure about intended or not. I have never used html in the cause, perhaps some users have.
Sounds to me like it should be reported.
I created SECURITY-2592. Closing this issue to keep any discussions in the Jira. Thanks for reporting!
released in 1.82
I'll start with a quote from the Jenkins website.
https://www.jenkins.io/doc/developer/security/xss-prevention/Cause-getShortDescription/
It was possible to use HTML in
causeString
and e.g. add a nice link back to the source of the pull request. With the newer version of Jenkins the HTML is now displayed as plain text.The question I am asking myself now is: is HTML in
causeString
intended or not? Because if it is, then it doesn`t work anymore. Otherwise, if it is not intended, the Jenkins security team asks to report it (see the linked web page).