Markup Formatters

This site is the new docs site currently being tested. For the actual docs in use please go to https://www.jenkins.io/doc.

Jenkins allows users with the appropriate permissions to enter descriptions of various objects, like views, jobs, builds, etc. These descriptions are filtered by markup formatters. They serve two purposes:

  1. Allow users to use rich formatting for these descriptions

  2. Protect other users from Cross-Site Scripting (XSS) attacks

Configuring the Markup Formatter

The markup formatter can be configured in Manage Jenkins » Security » Markup Formatter.

The default markup formatter Plain text renders all descriptions as entered: Unsafe HTML metacharacters like < and & are escaped, and line breaks are rendered as <br/> HTML tags.

Another commonly installed markup formatter is Safe HTML, provided by the OWASP Markup Formatter Plugin. It allows the use of a basic, safe subset of HTML.

Security Considerations

User Profile Descriptions

Every user with an account and Overall/Read permission can edit their own user profile. This includes a description that is rendered using the configured markup formatter.

Therefore it can be unsafe to configure a markup formatter allowing arbitrary HTML even when restricting permissions like Job/Configure and Build/Update to fully trusted users: Anyone with an account will be able to edit their own description and any other user accessing their profile may become victim of an XSS attack.

This is particularly risky on publicly accessible Jenkins instances when the security realm is implemented using a service like GitHub, GitLab, or Google accounts, resulting in potentially anyone being able to log in to Jenkins and edit their own profile.