causeString and redefinition of Cause#getShortDescription

[sephiroth-j]

I'll start with a quote from the Jenkins website.

The Cause#getShortDescription method was defined to return a "one line" short snippet of HTML in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. To prevent further security vulnerabilities like SECURITY-2499 from having an impact on Jenkins users, the method has been redefined to return plain text in Jenkins 2.315 and LTS 2.303.2, and its output is no longer rendered as HTML on the UI.

https://www.jenkins.io/doc/developer/security/xss-prevention/Cause-getShortDescription/

It was possible to use HTML in causeString and e.g. add a nice link back to the source of the pull request. With the newer version of Jenkins the HTML is now displayed as plain text.

The question I am asking myself now is: is HTML in causeString intended or not? Because if it is, then it doesn`t work anymore. Otherwise, if it is not intended, the Jenkins security team asks to report it (see the linked web page).

[tomasbjerre]

Im not sure about intended or not. I have never used html in the cause, perhaps some users have.

Sounds to me like it should be reported.

[tomasbjerre]

I created SECURITY-2592. Closing this issue to keep any discussions in the Jira. Thanks for reporting!

[tomasbjerre]

released in 1.82