[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[hudson-dev] FYI: markup sanitization/escaping

Hi,

I've just committed some changes to master that add <?jelly escape-by-default='true'?> to the majority of core jelly scripts, as per http://wiki.hudson-ci.org/display/HUDSON/Jelly+and+XSS+prevention This also includes using the <j:out ... /> instruction to avoid escaping of expected HTML content:

   http://git.eclipse.org/c/hudson/org.eclipse.hudson.core.git/commit/?id=ea0929ef8f6d3e88a0f1c6bb7cdbfcdfd323bcaa

A related change involved patching stapler to support custom escaping of localized messages, including the ability to protect specific arguments:

   http://git.eclipse.org/c/hudson/org.eclipse.hudson.stapler.git/commit/?id=5cca490c5b9fc44f60a877f767508bc81bff5945

( I used a small bit of reflection to avoid having to patch and deploy a new version of the Hudson branch of commons-jelly )

Next step is to go through the scripts and wrap ${app.markupFormatter.translate(...)} around any descriptions and truncated/short descriptions.

Finally I'd like to add some basic HTML sanitization, either as a new HTML markup processor or built-in as a separate step - using something like:

   http://code.google.com/p/owasp-java-html-sanitizer/

This library is licensed as BSD, which should be ok if we want to use it directly in core. Alternatively this could always be added via a plugin/extension.

PS. Currently this library isn't available on central - but I'll try to see if it can be uploaded via the third-party route...

--
Cheers, Stuart