[#JRA-5307] Custom field textarea contents not escaped on edit page

JIRA

Custom field textarea contents not escaped on edit page

Created: 22/Nov/04 12:23 AM Updated: 30/Jul/06 07:35 PM

Component/s:

Web interface

Affects Version/s:

3.0.2

Fix Version/s:

3.1

Time Tracking:

Not Specified

File Attachments:

edit-customfieldspatch.jar (1 kB)
2.

MABS-230.xml (4 kB)

Participants:	Jeff Turner [Atlassian] and Mark Gladman
Since last comment:	3 years, 46 weeks, 3 days ago
Resolution Date:	22/Nov/04 06:47 PM
Labels:

Description

« Hide

Something contained within the attached issue (in XML format) causes all HTML after the 'solutions' textarea/field to be rendered within the 'solutions' textarea.
This makes it impossible to change the security level or assignee of the issue.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Jeff Turner [Atlassian] added a comment - 22/Nov/04 05:47 PM

Thanks for the report. We aren't escaping the contents of textareas on the edit page, so any HTML content is interpreted literally.

[ Permlink | « Hide ]

Mark Gladman added a comment - 22/Nov/04 06:08 PM

Has this always been the case?

Also, is the textarea unescaped on purpose?
The reason I ask is that this is something that's highly likely to occur again.

[ Permlink | « Hide ]

Jeff Turner [Atlassian] added a comment - 22/Nov/04 06:47 PM

It has probably only been the case since 3.0, when we rewrote the custom field system.

Attached is a jar containing a fix for 3.0.x. To apply, go to the webapp root (atlassian-jira/ in JIRA Standalone, or edit-webapp/ in the webapp edition) and run 'jar xvf edit-customfieldspatch.jar'.