Jenkins allows users with the appropriate permissions to enter descriptions of various objects, like views, jobs, builds, etc. These descriptions are filtered by markup formatters. They serve two purposes:
Allow users to use rich formatting for these descriptions
Protect other users from Cross-Site Scripting (XSS) attacks
The markup formatter can be configured in Manage Jenkins » Security » Markup Formatter.
The default markup formatter Plain text renders all descriptions as entered:
Unsafe HTML metacharacters like
& are escaped, and line breaks are rendered as
<br/> HTML tags.
Another commonly installed markup formatter is Safe HTML, provided by the OWASP Markup Formatter Plugin. It allows the use of a basic, safe subset of HTML.
Every user with an account and Overall/Read permission can edit their own user profile. This includes a description that is rendered using the configured markup formatter.
Therefore it can be unsafe to configure a markup formatter allowing arbitrary HTML even when restricting permissions like Job/Configure and Build/Update to fully trusted users: Anyone with an account will be able to edit their own description and any other user accessing their profile may become victim of an XSS attack.
This is particularly risky on publicly accessible Jenkins instances when the security realm is implemented using a service like GitHub, GitLab, or Google accounts, resulting in potentially anyone being able to log in to Jenkins and edit their own profile.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.