unsanitized HTML: script tags are ignored in log output

[gangerli]

Describe the bug
The contents of <script> tags in unsanitized HTML are ignored when viewed in the Log Output.

My Rundeck detail

• Rundeck version: 3.3.10
• install type: deb
• OS Name/version: Ubuntu 18.04.5 LTS
• DB Type/version: H2

To Reproduce

1. Allow unsanitized HTML output in framework.properties

   framework.output.allowUnsanitized=true
   

2. Restart Rundeck

3. Allow unsanitized HTML output on the project

   project.output.allowUnsanitized=true
   

4. Create a job with a step that outputs the following HTML and add an unsanitized HTML formatter log filter:

   <html>
     <head>
       <title>Functions!!!</title>
       <script type="text/javascript">
        function nag()  {
          alert("boo!")
        }
       </script>
     </head>
     <body>
       <button type="button" onclick="(function () { alert('boo') })()">Attribute JS</button>
       <button type="button" onclick="nag()">Script JS</button>
     </body>
   </html>
   

5. Run job with log output as the active tab

Expected behavior
Both buttons should produce an alert window when clicked.

Observed behavior
Only the button labeled "Attribute JS" works in the Log output. Interestingly, the <script> tags are not stripped, and if viewed as HTML, both buttons work as expected.

Desktop (please complete the following information):

• OS: Linux
• Browser: Firefox
• Version: 86.0.1

Additional context
Known to work in earlier versions (independently confirmed in 3.2.1)

[MegaDrive68k]

Reproduced.

With this job definition:

<joblist>
  <job>
    <defaultTab>nodes</defaultTab>
    <description></description>
    <executionEnabled>true</executionEnabled>
    <id>7e99966c-5ef6-46ad-bc7c-a2dcf2a02e11</id>
    <loglevel>INFO</loglevel>
    <name>HTMLExample</name>
    <nodeFilterEditable>false</nodeFilterEditable>
    <plugins />
    <scheduleEnabled>true</scheduleEnabled>
    <sequence keepgoing='false' strategy='node-first'>
      <command>
        <exec>cat /path/to/the/html/file.html</exec>
        <plugins>
          <LogFilter type='render-datatype'>
            <config>
              <datatype>text/html</datatype>
              <sanitizeHtml>false</sanitizeHtml>
              <striped>true</striped>
            </config>
          </LogFilter>
        </plugins>
      </command>
    </sequence>
    <uuid>7e99966c-5ef6-46ad-bc7c-a2dcf2a02e11</uuid>
  </job>
</joblist>

This HTML code:

<html>
<head>
	<title>Functions!!!</title>
	<script type="text/javascript">
      function myFunction()
      {
      	alert("boo!")
      }
	</script>
</head>
<body>
    <button type="button" onclick="(myFunction())">Nag</button>
</body>
</html> 

Adding this parameter at framework.properties file:

framework.output.allowUnsanitized=true

And setting "Allow Unsanitized HTML output" at project level:

On 3.2.X it's posible to "Unsanitize" the log output (<script></script> tag is allowed):

But on 3.3.10 doesn't:

Thanks for your feedback @gangerli!

[stale]

In an effort to focus on bugs and issues that impact currently supported versions of Rundeck, we have elected to notify GitHub issue creators if their issue is classified as stale and close the issue. An issue is identified as stale when there have been no new comments, responses or other activity within the last 12 months. If a closed issue is still present please feel free to open a new Issue against the current version and we will review it. If you are an enterprise customer, please contact your Rundeck Support to assist in your request.
Thank you, The Rundeck Team