[
https://issues.jenkins-ci.org/browse/JENKINS-11098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160480#comment-160480
]
Martin Heinrich commented on JENKINS-11098:
-------------------------------------------
Here comes another example without security impact (this is part of the Console
Output source - this part comes in the <pre>-tag):
[Tue Mar 20 14:41:00 CET 2012] [tc] [<span style="color: yellow;">warn</span>]
'<span style="color: yellow;"> line 41 column 1 - Warning: trimming empty
<dd></span>'
<span style="display: none;">[Tue Mar 20 14:41:00 CET 2012] [tc]
[�[33mwarn�[0m] '�[33m line 41 column 1 - Warning: trimming empty
&lt;dd>�[0m'
</span>
The &gt; right before the escape character is not escaped. Should be
&lt;dd&gt;.
> Ansicolor Plugin makes console output view vulnerable to XSS attacks
> --------------------------------------------------------------------
>
> Key: JENKINS-11098
> URL: https://issues.jenkins-ci.org/browse/JENKINS-11098
> Project: Jenkins
> Issue Type: Bug
> Components: plugin
> Reporter: Karsten Elfenbein
>
> The plugin has a problem with XSS code.
> Just create a buildjob that executes the following shell command and have
> ansicolor enabled.
> echo -e "\e[1;94m test<script>var xss = function() { alert('not good');};
> xss();</script>"
> It needs the special char which seems to get filtered in Jira.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
