[ https://issues.jenkins-ci.org/browse/JENKINS-11098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160480#comment-160480 ]
Martin Heinrich commented on JENKINS-11098: ------------------------------------------- Here comes another example without security impact (this is part of the Console Output source - this part comes in the <pre>-tag): [Tue Mar 20 14:41:00 CET 2012] [tc] [<span style="color: yellow;">warn</span>] '<span style="color: yellow;"> line 41 column 1 - Warning: trimming empty <dd></span>' <span style="display: none;">[Tue Mar 20 14:41:00 CET 2012] [tc] [[33mwarn[0m] '[33m line 41 column 1 - Warning: trimming empty &lt;dd>[0m' </span> The &gt; right before the escape character is not escaped. Should be &lt;dd&gt;. > Ansicolor Plugin makes console output view vulnerable to XSS attacks > -------------------------------------------------------------------- > > Key: JENKINS-11098 > URL: https://issues.jenkins-ci.org/browse/JENKINS-11098 > Project: Jenkins > Issue Type: Bug > Components: plugin > Reporter: Karsten Elfenbein > > The plugin has a problem with XSS code. > Just create a buildjob that executes the following shell command and have > ansicolor enabled. > echo -e "\e[1;94m test<script>var xss = function() { alert('not good');}; > xss();</script>" > It needs the special char which seems to get filtered in Jira. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira