Jenkins : Plugins affected by 2018-10-10 Stapler security hardening

Jenkins uses a fork of Jelly for the vast majority of the views it renders. Since 2011, it includes a feature that lets view authors opt in or out of automatic escaping of variable values for rendering in HTML, and since 2016, the plugin build tooling requires that views explicitly specify whether to apply this automatic escaping. Details are available in the developer documentation.

Until now, if views do not declare whether to automatically escape, they were rendered without automatic escaping, and developers were expected to explicitly escape every variable reference that was not supposed to contain markup. This has resulted in a number of cross-site scripting (XSS) vulnerabilities.

For that reason, we have decided to enable this automatic escaping by default if plugins do not specify a preference. This can result in problems with some plugins if they need their output to remain unescaped. We expect that those plugins will adapt pretty quickly to this change, as the fix is typically straightforward.


Affected plugins

The table provides a list of plugin which were affected by the Stapler Jelly security hardening in Jenkins 2.138.2 and 2.146. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list.

More importantly, please file a bug report, if one doesn't exist, to help ensure that the appropriate plugin maintainer is informed.

Plugin NameImpact / behaviorIssue / pull requestStatus
Blue OceanPreloading did not work, functional tests failed
Fixed in 1.8.4
Last Failure Version ColumnRaw HTML shown instead of job link

JENKINS-54107 - raw HTML output when Stapler Security Hardening enabled Open

Upstream Downstream ColumnRaw HTML shown instead of job links

JENKINS-54124 - Raw HTML when Stapler Security Hardening enabled Open

Hudson Page Markup Plug-inRaw HTML code displayed in the browser#3973
Dashboard View PluginRaw HTML code displayed in some portlets

JENKINS-54219 - portlet rich-text-publisher-plugin rendering broken with 2.146 Open

Bug is in portlets, cannot be fixed in dashboard view plugin
Maven Deployment LinkerRaw HTML is shown in maven deployment links JENKINS-54273 - RAW HTML is shown in maven deployment links since 2.138.2 In Review
Last Success Version ColumnRaw HTML shown instead of job link

Summary Display PluginRaw HTML is shown if CDATA terms are used

Cron Column PluginRaw HTML is shown in views column

JENKINS-54846 - RAW HTML is shown in cron column since 2.138.2 In Review