New and Improved 3.13 Beta. Highlights: Shareable filters and dashboards and lots of other goodies. Any feedback can be raised as JIRA issues in the JIRA project.
Issue Details (XML | Word | Printable)

Key: JRA-14506
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Chris Mountford [Atlassian]
Reporter: Nicolas Dumazet
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
JIRA

Failed Jelly Run does not escape HTML from the Jelly INPUT

Created: 24/Feb/08 04:07 PM   Updated: 06/Mar/08 05:53 PM
Component/s: Jelly
Affects Version/s: 3.12.2
Fix Version/s: 3.12.3

Time Tracking:
Not Specified

Environment: standalone, java 1.6.0, Ubuntu.

Participants: Chris Mountford [Atlassian], Dushan Hanuska [Atlassian] and Nicolas Dumazet
Since last comment: 25 weeks, 1 day ago
Resolution Date: 06/Mar/08 05:53 PM
Labels:


 Description  « Hide
When there are HTML tags in the Jelly input, for example in an issue description, these tags will be interpreted in the errordump.

It can break the display and also prevent the developer from reading the error message.

Please convert special characters into html entities to avoid these problems.

Thanks

Nicolas.

[EDIT] :
I triggered this bug a while ago, so I had troubles reproducing it.

This sample will raise it :

<JiraJelly xmlns:jira="jelly:com.atlassian.jira.jelly.JiraTagLib">
<jira:CreateIssue description="

<form method='post' action='&amp;'>

<input type='text' size='150'/>

</form>

" issueType="Bug" priority="Major" project-key="PYWP" summary="sum" />
</JiraJelly>

This one is tricky : If you remove &amp; from the action, the code will get parsed correctly

I will provide other code examples, if you need so.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Chris Mountford [Atlassian] added a comment - 24/Feb/08 11:05 PM
Hi Nicolas,

I've been assigned to fix this problem but I'm having trouble reproducing it.

I have tried on the latest version of JIRA and made various kinds of Jelly errors occur but have been unable to see unescaped script contents in the error message.

Can you please provide some sample code that produces the problem you describe?

Also please confirm the version you are reporting this issue against. Is it happening on JIRA 3.12.2?

Regards,

Chris.


[ Permlink | « Hide ]
Nicolas Dumazet added a comment - 27/Feb/08 11:08 AM
Hi !

I edited the issue description.

Do you need other samples ?

Nicolas.


[ Permlink | « Hide ]
Chris Mountford [Atlassian] added a comment - 02/Mar/08 10:42 PM
Hi Nicolas,

Sorry not to reply until now.

Thanks for the reproduction steps. I am fixing the bug now. It will be released with the next version of JIRA.

Chris.


[ Permlink | « Hide ]
Chris Mountford [Atlassian] added a comment - 06/Mar/08 05:53 PM
This was a pretty weird bug.

The problem probably has a very minimal impact since it is only known to be reproducible with a special class of invalid XML inputs.

More technical details follow:

We parse the input with a SAX parser which doesn't seem to mind the presence of illegal characters like "<" in an attribute value.

In the case where the Jelly tag chooses to render an error message as XML output (several tags do) and the original input cannot be parsed by the (electric xml) DOM parser (which we used to pretty print the results), then the code fell into a clause which did not properly escape the input XML when it was quoted back.
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13_beta1-#328) - Bug/feature request - Atlassian news - Contact Administrators