Which html is supported in Jenkins job description

Because I had the fun of trying to figure out what exactly should work, documentation is light on usable details, and I don't want to have to do this again in a year or two, here goes:

Any references to RawHtmlMarkupFormatter are obsolete by now. As a comment said, the "safe html" markup is now provided by OWASP Markup Formatter Plugin (antisamy-markup-formatter). The actual tags it permits are visible indirectly in the BasicPolicy which uses org.owasp.html.Sanitizers. These two references together allow figuring out what's really supposed to be ok.

For example <font color=...> used to work back in the day (see MyspacePolicy in the other answer), but appears to no longer be allowed, but enough simple <span style="color:..."> styles are permitted to get somewhere equivalent. This matches the observed behavior of OWASP Markup Formatter 2.0 on a Jenkins instance.


Jenkins allows you to use various markup languages to write job descriptions; plugins can define how the description should be parsed via the MarkupFormatter interface.

By default, the RawHtmlMarkupFormatter is used, which applies an HTML sanitisation policy (from the OWASP AntiSamy Project) — the Myspace policy.

In the Myspace policy, you'll see that only certain tags and attributes are allowed. target isn't one of them, which is why you see it being stripped from your input.

For your use case, the alternatives are to install and configure another markup formatter plugin, or to write your own. Some examples include:

  • Escaped Markup Plugin: escapes all HTML tags (probably not so useful for you)
  • "Anything Goes" Formatter: allows any HTML input at all (with the associated security risks)
  • PegDown Formatter Plugin: lets you write your descriptions in Markdown (probably the nicest option here, but likely doesn't support things like target="_blank")

Tags:

Html

Jenkins