[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine resolved JENKINS-11098 as Fixed Ansicolor Plugin makes console output view vulnerable to XSS attacks Fixed since 0.2.0 of the plugin. Change By: Daniel Doubrovkine (18/Jun/12 2:44 PM) Status: Open Resolved Resolution: Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine closed JENKINS-11098 as Fixed Ansicolor Plugin makes console output view vulnerable to XSS attacks Change By: Daniel Doubrovkine (18/Jun/12 2:44 PM) Status: Resolved Closed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine commented on JENKINS-11098 Ansicolor Plugin makes console output view vulnerable to XSS attacks I created https://github.com/dblock/jenkins-ansicolor-plugin/issues/14. Could you please add examples there? Would love a pull request with a fix. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
[
https://issues.jenkins-ci.org/browse/JENKINS-11098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=160480#comment-160480
]
Martin Heinrich commented on JENKINS-11098:
---
Here comes another example without security impact (this is part of the Console
Output source - this part comes in the pre-tag):
[Tue Mar 20 14:41:00 CET 2012] [tc] [span style=color: yellow;warn/span]
'span style=color: yellow; line 41 column 1 - Warning: trimming empty
dd/span'
span style=display: none;[Tue Mar 20 14:41:00 CET 2012] [tc]
[[33mwarn[0m] '[33m line 41 column 1 - Warning: trimming empty
amp;lt;dd[0m'
/span
The amp;gt; right before the escape character is not escaped. Should be
amp;lt;ddamp;gt;.
Ansicolor Plugin makes console output view vulnerable to XSS attacks
Key: JENKINS-11098
URL: https://issues.jenkins-ci.org/browse/JENKINS-11098
Project: Jenkins
Issue Type: Bug
Components: plugin
Reporter: Karsten Elfenbein
The plugin has a problem with XSS code.
Just create a buildjob that executes the following shell command and have
ansicolor enabled.
echo -e \e[1;94m testscriptvar xss = function() { alert('not good');};
xss();/script
It needs the special char which seems to get filtered in Jira.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
