[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine resolved JENKINS-11098 as Fixed Ansicolor Plugin makes console output view vulnerable to XSS attacks Fixed since 0.2.0 of the plugin. Change By: Daniel Doubrovkine (18/Jun/12 2:44 PM) Status: Open Resolved Resolution: Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine closed JENKINS-11098 as Fixed Ansicolor Plugin makes console output view vulnerable to XSS attacks Change By: Daniel Doubrovkine (18/Jun/12 2:44 PM) Status: Resolved Closed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
Daniel Doubrovkine commented on JENKINS-11098 Ansicolor Plugin makes console output view vulnerable to XSS attacks I created https://github.com/dblock/jenkins-ansicolor-plugin/issues/14. Could you please add examples there? Would love a pull request with a fix. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-11098) Ansicolor Plugin makes console output view vulnerable to XSS attacks
[ https://issues.jenkins-ci.org/browse/JENKINS-11098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=160480#comment-160480 ] Martin Heinrich commented on JENKINS-11098: --- Here comes another example without security impact (this is part of the Console Output source - this part comes in the pre-tag): [Tue Mar 20 14:41:00 CET 2012] [tc] [span style=color: yellow;warn/span] 'span style=color: yellow; line 41 column 1 - Warning: trimming empty dd/span' span style=display: none;[Tue Mar 20 14:41:00 CET 2012] [tc] [[33mwarn[0m] '[33m line 41 column 1 - Warning: trimming empty amp;lt;dd[0m' /span The amp;gt; right before the escape character is not escaped. Should be amp;lt;ddamp;gt;. Ansicolor Plugin makes console output view vulnerable to XSS attacks Key: JENKINS-11098 URL: https://issues.jenkins-ci.org/browse/JENKINS-11098 Project: Jenkins Issue Type: Bug Components: plugin Reporter: Karsten Elfenbein The plugin has a problem with XSS code. Just create a buildjob that executes the following shell command and have ansicolor enabled. echo -e \e[1;94m testscriptvar xss = function() { alert('not good');}; xss();/script It needs the special char which seems to get filtered in Jira. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira