The Cause#getShortDescription
method was defined to return a "one line" short snippet of HTML in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier.
To prevent further security vulnerabilities like SECURITY-2499 from having an impact on Jenkins users, the method has been redefined to return plain text in Jenkins 2.315 and LTS 2.303.2, and its output is no longer rendered as HTML on the UI.
If an implementation of #getShortDescription
returns a string that includes user-specified content, plugin maintainers are advised to consider both the behavior of older and newer Jenkins releases if their plugin can be used on Jenkins 2.314 and earlier.
"User content" in this case refers to any dynamic content that is specified locally or provided by another system that Jenkins integrates with and is not guaranteed to be safe to interpret as HTML.
This is safe to use and no adaptation to the new behavior of Jenkins is necessary.
This is safe to use, but will need to be adapted to the new behavior of Jenkins, otherwise the UI will render escaped HTML tags.
Define a custom description.jelly
file that renders HTML, and return plain text content from #getShortDescription
.
This is likely unsafe in older Jenkins releases if users are able to inject HTML. Please report this to the Jenkins security team.
This may or may not be safe in older Jenkins releases, depending on whether user content is specifically escaped.
Define a custom description.jelly
file that renders HTML, and return plain text content from #getShortDescription
.
Be mindful of user content rendered as part of #getShortDescription
intending to be plain text, but which would still be rendered as HTML in Jenkins 2.314 and earlier, 2.303.1 and earlier.