OWASP Markup Formatter Plugin

This plugin is also known as "Safe HTML" Plugin and antisamy-markup-formatter.

Note

The plugin manager contains a slightly misleading warning: While there is no "different settings format", OWASP Markup Formatter Plugin 2.0 reduced the set of allowed elements. Previously defined descriptions may no longer look the same. The plugin can be freely upgraded to 2.0 or downgraded again to 1.8, if necessary.

About

This plugin allows formatting descriptions of jobs, builds, views, etc. in Jenkins using a safe subset of HTML.

This plugin sanitizes HTML sources using the OWASP Java HTML Sanitizer and a basic policy allowing limited HTML markup in user-submitted text.

Learn more: Markup Formatter configuration in the Jenkins handbook

Installation

This plugin is usually installed because it’s a suggested plugin in the setup wizard; Administrators installing the default set of plugins will also install this plugin that way.

It is also bundled in the jenkins.war and will automatically installed as a dependency of plugins with very old (1.553 or older) Jenkins core dependencies.

Configuration

Once the plugin is installed, go to Manage Jenkins → Configure Global Security → Markup Formatter. Select Safe HTML for the Markup Formatter option.

User-submitted text, like build, job, and view descriptions, will then support HTML formatting, but will be sanitized by removing potentially dangerous elements.

About Internal Names

Both the file name antisamy-markup-formatter.hpi and the class name RawHtmlMarkupFormatter are misleading: Neither describes the current behavior of the plugin; both names are used for historical reasons only.