We have been using HTML in our release notes, have seen issues with 2.5.4 release reported with issues with this, but we have upgraded to 2.5.8 an are seeing NO release notes displayed for any of our historical or new releases.
I hope this is a display issue only and we haven’t lost them out of the database.
For a couple of releases that were created manually before the upgrade the notes are displaying, these were down manually entering the notes into the interface.
Regards,
Joel
Hi Joel,
Thanks for getting in touch! So they good news they are still there. The bad/weird news is it’s never officially allowed HTML, and it was changed to Markdown.
It’s weird they aren’t showing at all. If you go into any of the releases where it isn’t showing and click Edit the release notes should show in this screen and when saving it should show them again.
I’m not suggesting that you do this for all releases that aren’t showing notes, just for you to be able to see them (and confirm they still exist).
It is surprising our sanitize is being so aggressive to the point of not showing the HTML at all, could you send through a sample of one of your HTML release notes so we can look into this a bit further.
Thanks!
Vanessa
Yes, editing the release works.
Attached is an example of the HTML from one of them.
Can you add a config option to turn off HTML sanitising?
Thanks,
Joel
HTML.txt (5 KB)
Hi Vanessa,
Which markdown Syntax do you support? Just the base syntax or does octopus include the Github extensions?
Kind Regards,
Andrew
Hi Andrew,
I have created a GitHub issue to at least find a way to show the HTML when we sanitize, as you obviously won’t want to edit all your releases and there is no easy way to script a change. https://github.com/OctopusDeploy/Issues/issues/1181
As for the config option. This would not be something we allow, in-fact the reason we added such a strong sanitizer is due to the fact that HTML is just too easy to write something injectable.
We only use base Markdown syntax.
Sorry this is such a big change for you, and that your process will have to change for this. Honestly we didn’t think it would be a breaking change and are surprised it allowed such extensive HTML in that field.
Vanessa
Hi Vanessa,
While I always appreciate security measures. This is a bit ridiculous.
If someone has permission to “create a release” they have permission to push installable code to machines and run it as a local administrator. Why would they then go through the trouble of writing malicious javascript when they can send and execute, executables to machines?
And even if someone did setup an octopus server with the need for this, having an admin level config option to turn it off is something that they could leave turned on.
Can we pay to have this feature implemented?
Regards,
Joel
Hi Joel,
Sorry this change turned out to be such a pain for you. I don’t think it comes across clearly in the ticket - the intention of #1181 linked above is that we’ll accept HTML along the lines you’ve provided (there’s nothing/very little specifically in the sample you’ve sent that should not be passed through).
Just for the sake of some background so we don’t seem too far off in the woods :), the permission to create a release isn’t always a high-level one: since source NuGet feeds are secured/limited to a restricted set, and the ability to deploy releases is managed separately and per-environment, it’s occasionally the case that low-privilege users might create self-serve releases for e.g. a test environment. Injecting malicious script would impact any user viewing the release, not only those who might deploy it, so we need to keep this in mind.
Improving the sanitisation we use is probably a quicker and easier path to sorting this out than providing feature toggles and so-on; another option you might try if you are deeply impacted is to use the Octopus.Client package/REST API to programmatically extract/simplify/update the affected release notes. By removing <p> tags I was able to get this otherwise unchanged chunk of your sample:
<span lang="EN-US" style='font-size: 9.0pt; font-family: "Segoe UI","sans-serif";
color: blue'><a href='http://tfs01:8080/tfs/web/UI/Pages/WorkItems/WorkItemEdit.aspx?id=9012&pguid=3ab783a9-7377-4112-9517-e5a15fdd2f04'>Work Item 9012</a></span></u><span lang="EN-US"
style='font-size: 9.0pt; font-family: "Segoe UI","sans-serif"; color: black'>, Wording
update to COOKIES page</span><span lang="EN-US" style='font-size: 9.0pt;
font-family: "Segoe UI","sans-serif";color: #6D6D6D'>Andrew McClenaghan</span>
…to render correctly. (Line breaks added only for clarity.) It’s possible a find/replace over the Release.Notes field, substituting paragraphs for blank lines and so-on, will sort this out. Having this run periodically on newly-created releases (every 5 minutes perhaps) could serve as a (somewhat kludgy) workaround in the short term.
Hope this helps, we’ll update #1181 with progress on this.
Regards,
Nick