[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[hudson-dev] FYI: markup sanitization/escaping


I've just committed some changes to master that add <?jelly escape-by-default='true'?> to the majority of core jelly scripts, as per http://wiki.hudson-ci.org/display/HUDSON/Jelly+and+XSS+prevention This also includes using the <j:out ... /> instruction to avoid escaping of expected HTML content:


A related change involved patching stapler to support custom escaping of localized messages, including the ability to protect specific arguments:


( I used a small bit of reflection to avoid having to patch and deploy a new version of the Hudson branch of commons-jelly )

Next step is to go through the scripts and wrap ${app.markupFormatter.translate(...)} around any descriptions and truncated/short descriptions.

Finally I'd like to add some basic HTML sanitization, either as a new HTML markup processor or built-in as a separate step - using something like:


This library is licensed as BSD, which should be ok if we want to use it directly in core. Alternatively this could always be added via a plugin/extension.

PS. Currently this library isn't available on central - but I'll try to see if it can be uploaded via the third-party route...

Cheers, Stuart