Render HTML tags in job log

changelogs/unreleased/render-html-tags-in-job-log.yml

+---
+title: Do not escape HTML tags in Ansi2json as they are escaped in the frontend
+merge_request: 19610
+author:
+type: fixed

lib/gitlab/ci/ansi2json/converter.rb

@@ -66,14 +66,12 @@ module Gitlab
           elsif scan_token(scanner, /\e(([@-_])(.*?)?)?$/)
             # stop scanning
             scanner.terminate
-          elsif scan_token(scanner, /</)
-            @state.current_line << '&lt;'
           elsif scan_token(scanner, /\r?\n/)
             flush_current_line
           elsif scan_token(scanner, /\r/)
             # drop last line
             @state.current_line.clear!
-          elsif scan_token(scanner, /.[^\e<\r\ns]*/m)
+          elsif scan_token(scanner, /.[^\e\r\ns]*/m)
             # this is a join from all previous tokens and first letters
             # it always matches at least one character `.`
             # it matches everything that is not start of:

spec/lib/gitlab/ci/ansi2json_spec.rb

@@ -224,17 +224,17 @@ describe Gitlab::Ci::Ansi2json do
         end
       end
 
-      it 'prevents XSS injection' do
-        trace = "#{section_start}section_end:1:2<script>alert('XSS Hack!');</script>#{section_end}"
+      it 'prints HTML tags as is' do
+        trace = "#{section_start}section_end:1:2<div>hello</div>#{section_end}"
         expect(convert_json(trace)).to eq([
           {
             offset: 0,
-            content: [{ text: "section_end:1:2&lt;script>alert('XSS Hack!');&lt;/script>" }],
+            content: [{ text: "section_end:1:2<div>hello</div>" }],
             section: 'prepare-script',
             section_header: true
           },
           {
-            offset: 95,
+            offset: 75,
             content: [],
             section: 'prepare-script',
             section_duration: '01:03'