-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configuration entry to allow adding additional elements. #36
base: master
Are you sure you want to change the base?
Conversation
Not a maintainer, but IMO this feels like something best done in another plugin to limit the complexity of the "default option". |
Do you mean code complexity or end user configuration complexity? I'm not sure how it would work if this was put in another plugin, could I have that plugin .depend on this plugin and overwrite it's functionlaity? I use the I also think that it would be confusing for users to have to install a separate plugin, adding the configuration to this plugin makes it simple for users to discover, and if you don't need it there is really no added configuration complexity. |
We implemented the same functionality in a very similar fashion. For us, this functionality is a must-have for being able to make changes/status/options visible in a readable manner to the entire team. In my opinion, the complexity does not get increased in a significant way and I do not understand the benefit of creating another plugin yet. @daniel-beck can you expand on why this may be the better approach? @lhupfeldt I installed your implementation in a docker container and it seems to work fine. Why is this PR in Draft mode aka how can I support you in finalizing this PR (without being a maintainer) (we like your implementation more than ours :-) )? |
@malte-behrendt-gr Check my first comment. It does not work after restart, that's why it is in draft. Your help would be appreciated. Although it seems the maintainers are not accepting any pull requests. |
@malte-behrendt-gr I have fixed the restart initialization problem. |
@lhupfeldt :-D fantastic In the meantime we combined your solution and ours. I also noticed you seem to work on something similar as we do (Jenkins and Python) - I hope I'll get around to take a closer look on it soon. |
Are any maintainers looking at pull requests? |
Makes sense. I added this dependency years ago to help fix yet another security vulnerability in that plugin. It might be a better choice longer term to detach Active Choices formatting from the global markup formatter if more customization is regularly needed. Given the frequency and severity of vulnerabilities in Active Choices, particularly XSS, as a reference use case I don't think it's particularly strong. Even ignoring that, this plugin has 10x the number of installs.
Depends on whether you want to help the admin make good decisions. |
Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
I think that it should be the admin's decision what to allow. Something inacceptable in a certain may be perfectly fine in another. |
Sure, but they should be equipped to make good decisions. There's already too many "gotchas" in Jenkins configuration, let's not add more.
https://plugins.jenkins.io/anything-goes-formatter/ exists; if you're fine with XSS, you're fine with everything and can allow everything (rather than pretend to only allow a subset). |
I still have the |
Good point, this regularly trips me up, including in an earlier response above -- Active Choices always uses this plugin rather than whatever is the configured markup formatter. This means Active Choices would need to change how it sanitizes output by switching to a different (perhaps more configurable) sanitizer, possibly provided on its own. Alternatively, it could allow configuring the markup formatter it uses from among all installed ones (rather than whichever is configured for all other text). (Personally I would still consider this use case to be too narrow to justify changing this markup formatter installed on most Jenkins instances.) |
The dependency problem is not the only use case. There are several people asking for support of different things which are not allowed by the plugin. E.g. why was |
It's the only use case I can think of that cannot currently be solved by having people migrate to a new Plugin hell can be real with Jenkins, but sufficiently narrow plugins are IMO a clear benefit. See e.g. https://plugins.jenkins.io/strict-crumb-issuer/ which has a bunch of options most people won't care about (and are lacking in the built-in implementation).
Depends on scope, I mostly do it manually but https://github.com/jenkinsci/jenkins/blob/master/translation-tool.pl may help with some content. |
I don't agree that the defaults are kept any simpler by not adding a configuration possibility. The defaults are exactly the same - you do not have to configure enything is you want the defaults. On the other hand splitting this into multiple plugins requires more total maintenance and the risk of a plugin not receiving the necessary security updates will be higher. And we still have not solved the problem of plugin dependency. |
For the general case (i.e. not Active Choices), that's basically how it works. There's nothing "default" about OWASP Markup Formatter other than it being recommended by the setup wizard (and it is recommended because it's useful and simple).
People have been complaining for at least a decade now (which is when I started using Jenkins, so probably for longer) about the confusing number of seemingly irrelevant options exposed in Jenkins configuration, so I disagree with this stance. Adding options for things only few people care about in this manner isn't a solution, it just adds work for everyone who needs to determine whether something is relevant to them or not. |
This would a non-bureaucratic solution to start using the tag: https://www.w3schools.com/tags/tag_details.asp
But alas, we first need to discuss it in 10 rounds and then actually make things way worse by providing a yet another plugin that does the same thing. It's circular logic. We could go ahead and remove URL support, because admins might misclick something. Jenkins might not be the place for such admins... |
FYI a plugin allowing customizing the set of allowed elements is currently in the hosting process: jenkins-infra/repository-permissions-updater#3364 |
I'm new to Jenkins plugin development and need some help with this.
There is an issue with initialization after Jenkins restart, causing a NullPointerException.
Everything works correctly after initially adding allowed elements, but after a Jenkins restart I need to visit the configuration page and click 'save'. The configuration is correctly saved and reloaded, but the class is not initialized correctly after restart.