| [hudson-dev] FYI: markup sanitization/escaping |
Hi, I've just committed some changes to master that add <?jelly escape-by-default='true'?> to the majority of core jelly scripts, as per http://wiki.hudson-ci.org/display/HUDSON/Jelly+and+XSS+prevention This also includes using the <j:out ... /> instruction to avoid escaping of expected HTML content: http://git.eclipse.org/c/hudson/org.eclipse.hudson.core.git/commit/?id=ea0929ef8f6d3e88a0f1c6bb7cdbfcdfd323bcaa A related change involved patching stapler to support custom escaping of localized messages, including the ability to protect specific arguments: http://git.eclipse.org/c/hudson/org.eclipse.hudson.stapler.git/commit/?id=5cca490c5b9fc44f60a877f767508bc81bff5945 ( I used a small bit of reflection to avoid having to patch and deploy a new version of the Hudson branch of commons-jelly ) Next step is to go through the scripts and wrap ${app.markupFormatter.translate(...)} around any descriptions and truncated/short descriptions. Finally I'd like to add some basic HTML sanitization, either as a new HTML markup processor or built-in as a separate step - using something like: http://code.google.com/p/owasp-java-html-sanitizer/ This library is licensed as BSD, which should be ok if we want to use it directly in core. Alternatively this could always be added via a plugin/extension. PS. Currently this library isn't available on central - but I'll try to see if it can be uploaded via the third-party route... -- Cheers, Stuart