From 1b99db52aaf2282003693b56fb9068ad21cb21ab Mon Sep 17 00:00:00 2001
From: Daniel Beck
Date: Wed, 13 Mar 2024 15:59:41 +0100
Subject: [PATCH 1/3] Restore help text for Markup Formatter setting
---
.../help-markupFormatter.html | 24 +++++++++++++++++++
.../model/Jenkins/help-markupFormatter.html | 17 -------------
.../Jenkins/help-markupFormatter_bg.html | 15 ------------
.../Jenkins/help-markupFormatter_it.html | 19 ---------------
.../Jenkins/help-markupFormatter_ja.html | 18 --------------
.../Jenkins/help-markupFormatter_zh_TW.html | 17 -------------
6 files changed, 24 insertions(+), 86 deletions(-)
create mode 100644 core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
delete mode 100644 core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter.html
delete mode 100644 core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_bg.html
delete mode 100644 core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_it.html
delete mode 100644 core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_ja.html
delete mode 100644 core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_zh_TW.html
diff --git a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
new file mode 100644
index 000000000000..c63dbedd9375
--- /dev/null
+++ b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
@@ -0,0 +1,24 @@
+
+
+ Jenkins shows user-provided descriptions on objects like jobs, views, or builds.
+ The markup formatter controls how those descriptions are rendered.
+
+
+ “Plain text” is the default formatter and renders the provided description largely as entered.
+
+
+ Plugin may contribute additional markup formatters that support HTML or other markup languages.
+
+
+ Note:
+ Some descriptions can be provided from possibly unexpected sources.
+ Some examples:
+
+
+ - any user with an account in Jenkins can set their own description
+ - Pipelines, as well as build steps for other job types, may be configured to set the current build's description
+
+
+ Using a markup formatter that renders user input verbatim as HTML may allow cross-site scripting attacks.
+
+
diff --git a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter.html b/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter.html
deleted file mode 100644
index 6f1cde576fbf..000000000000
--- a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter.html
+++ /dev/null
@@ -1,17 +0,0 @@
-
- In such places as project description, user description, view description, and
- build description, Jenkins allows users to enter some free-form text that
- describes something. This configuration determines how such free-form text is
- converted to HTML. By default, Jenkins treats the text as HTML and use it
- as-is unmodified (and this is default mainly because of the backward
- compatibility.)
-
-
- While this is convenient and people often use it to load <iframe>,
- <script>. and so on to mash up data from other sources, this capability
- enables malicious users to mount
- XSS attacks
- . If the risk outweighs the benefit, install additional markup formatter
- plugins and use them.
-
-
diff --git a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_bg.html b/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_bg.html
deleted file mode 100644
index 11956b33baee..000000000000
--- a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_bg.html
+++ /dev/null
@@ -1,15 +0,0 @@
-
- На места като описанията на проект, потребител, изглед или изграждане, Jenkins
- ви позволява да въведете свободен, описателен текст. Тази настройка определя
- как този свободен текст се преобразува до HTML. Стандартно счита текста за
- HTML и го ползва както е (това поведение е за съвместимост с предишни версии).
-
-
- Това е доста удобно и хората го ползват, за да зареждат <iframe>,
- <script> и т.н., това позволява на недобронамерените потребители да
- извършат атаки чрез
- XSS
- . Ако рискът е прекомерно голям, инсталирайте допълнителна приставка за
- форматиране на текста и ползвайте нея.
-
-
diff --git a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_it.html b/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_it.html
deleted file mode 100644
index 031b6aded0bf..000000000000
--- a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_it.html
+++ /dev/null
@@ -1,19 +0,0 @@
-
- Jenkins, in campi come la descrizione di un progetto, di un utente, di una
- vista e di una compilazione, consente agli utenti di immettere del testo
- libero che descriva qualcosa. Questa configurazione determina la modalità in
- cui tale testo libero viene convertito in HTML. Per impostazione predefinita,
- Jenkins tratta il testo come HTML e lo utilizza senza modifiche (questa è
- l'impostazione predefinita principalmente per motivi di retrocompatibilità).
-
-
- Quest'opzione è comoda e gli utenti spesso la utilizzano per caricare
- <iframe>, <script> e altri tag per combinare dati da più sorgenti, ma
- consente a utenti malevoli di portare a termine
-
- attacchi XSS
-
- . Se i rischi superano i benefici, si installino componenti aggiuntivi per
- la formattazione del markup e li si usino.
-
-
diff --git a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_ja.html b/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_ja.html
deleted file mode 100644
index 40ee45eecfcf..000000000000
--- a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_ja.html
+++ /dev/null
@@ -1,18 +0,0 @@
-
- プロジェクト、ユーザー、ビューそしてビルドの説明などのような入力箇所では、フリーフォーマットのテキストを入力することができます。
- この設定で、そのフリーフォーマットのテキストをどのようにHTMLに変換するかを決定します。
- デフォルトでは、テキストをHTMLとして扱い、変更することなくそのまま使用します(主に後方互換のためです)。
-
-
- これはとても便利なので、<iframe>,
- <script>をロードするために、また他のソースからのデータを取り込むためによく使用しますが、
- 悪意のあるユーザーが
-
- クロスサイトスクリプティング
-
- をしかけることを容易にしてしまいます。
- 便利さより危険性を重視するなら、他のフォーマッタープラグインをインストールして使用してください。
-
-
diff --git a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_zh_TW.html b/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_zh_TW.html
deleted file mode 100644
index 6a737ac54f43..000000000000
--- a/core/src/main/resources/jenkins/model/Jenkins/help-markupFormatter_zh_TW.html
+++ /dev/null
@@ -1,17 +0,0 @@
-
- Jenkins
- 可以讓您自由輸入描述文字在專案說明、使用者說明、視景說明及建置說明...這些地方。
- 這個設定決定怎麼把您輸入的文字轉換成 HTML。Jenkins 預設把這些文字當做 HTML
- 直接拿來顯示 (這個預設值主要是為了跟舊版相容)。
-
-
- 這樣很方便,大家常用來載入 <iframe> 或 <script>,整合其他來源的資料。
- 但是也有可能被惡意使用者掛上
-
- XSS 攻擊
-
- 。 如果您評估的風險大過好處,請另外安裝使用標記格式外掛程式。
-
-
From 65e81332482386c5b69b5a8b1ef4101e905094df Mon Sep 17 00:00:00 2001
From: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
Date: Wed, 13 Mar 2024 18:31:18 +0100
Subject: [PATCH 2/3] Update
core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
Co-authored-by: Mark Waite
---
.../GlobalSecurityConfiguration/help-markupFormatter.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
index c63dbedd9375..ef24984593ab 100644
--- a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
+++ b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
@@ -7,7 +7,7 @@
“Plain text” is the default formatter and renders the provided description largely as entered.
- Plugin may contribute additional markup formatters that support HTML or other markup languages.
+ Plugins may contribute additional markup formatters that support HTML or other markup languages.
Note:
From a6313d40b8d087f7d43bea18f739904816203f23 Mon Sep 17 00:00:00 2001
From: Daniel Beck
Date: Wed, 13 Mar 2024 18:34:09 +0100
Subject: [PATCH 3/3] mvn -pl war frontend:yarn
-Dfrontend.yarn.arguments=lint:fix
---
.../help-markupFormatter.html | 29 ++++++++++++++-----
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
index c63dbedd9375..7753dbef081d 100644
--- a/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
+++ b/core/src/main/resources/hudson/security/GlobalSecurityConfiguration/help-markupFormatter.html
@@ -1,24 +1,37 @@
- Jenkins shows user-provided descriptions on objects like jobs, views, or builds.
- The markup formatter controls how those descriptions are rendered.
+ Jenkins shows user-provided descriptions on objects like jobs, views, or
+ builds. The markup formatter controls how those descriptions are rendered.
- “Plain text” is the default formatter and renders the provided description largely as entered.
+ “Plain text” is the default formatter and renders the provided
+ description largely as entered.
- Plugin may contribute additional markup formatters that support HTML or other markup languages.
+ Plugin may contribute additional markup formatters that support HTML or
+ other markup languages.
Note:
- Some descriptions can be provided from possibly unexpected sources.
- Some examples:
+ Some descriptions can be provided from possibly unexpected sources. Some
+ examples:
- any user with an account in Jenkins can set their own description
- - Pipelines, as well as build steps for other job types, may be configured to set the current build's description
+ -
+ Pipelines, as well as build steps for other job types, may be configured
+ to set the current build's description
+
- Using a markup formatter that renders user input verbatim as HTML may allow cross-site scripting attacks.
+ Using a markup formatter that renders user input verbatim as HTML may allow
+
+ cross-site scripting
+
+ attacks.