Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-31154

User name should be masked in the HTML source code

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Currently, when in the people directory or mentioned a user on a page, the real user name is showing up in the HTML source code of the page like 

      <a class="confluence-userlink user-mention userlink-0" data-username="admin" href="/display/~admin" data-linked-resource-id="360450" data-linked-resource-type="userinfo" data-base-url="http://mymac:8530" title="" data-user-hover-bound="true">administrator</a>

      in the parameter "data-username", which might cause so security issue for some customer. Can we have a mask on it?

            [CONFSERVER-31154] User name should be masked in the HTML source code

            Adam Barnes (Inactive) added a comment -
            Atlassian update

            Thank you for raising this suggestion. We regret to inform you that due to limited demand, we have no plans to implement it in the foreseeable future. In order to set expectations, we're closing this request now. Sometimes potentially valuable tickets do get closed where the Summary or Description has not caught the attention of the community. If you feel that this suggestion is valuable, consider describing in more detail or outlining how this request will help you achieve your goals. We may then be able to provide better guidance. Thanks again.
            Regards,
            Confluence Product Management

            Adam Barnes (Inactive) added a comment - Atlassian update Thank you for raising this suggestion. We regret to inform you that due to limited demand, we have no plans to implement it in the foreseeable future. In order to set expectations, we're closing this request now. Sometimes potentially valuable tickets do get closed where the Summary or Description has not caught the attention of the community. If you feel that this suggestion is valuable, consider describing in more detail or outlining how this request will help you achieve your goals. We may then be able to provide better guidance. Thanks again. Regards, Confluence Product Management

            811planon added a comment -

            We have a similar issue. As we use the email address of external users (customers) as username. Via the @mention and share, these usernames are visible between () behind the Full name (I personally think this is of nu added value. Why add the username as you are just looking for a full name?). Because the username is the email address it's personal data. For us as vendor it's illegal to share personal data from our customers. 

            The usename doesn't pop-up anywhere in Confluence, only at the autosuggest drop down (@mention and share), so I don't agree with the argument that user IDs and the link to the users is unavoidable. 

            Someone at Atlassian support came with the idea to mask it with a javascript. We haven't looked into it yet, but we will. 

            811planon added a comment - We have a similar issue. As we use the email address of external users (customers) as username. Via the @mention and share, these usernames are visible between () behind the Full name (I personally think this is of nu added value. Why add the username as you are just looking for a full name?). Because the username is the email address it's personal data. For us as vendor it's illegal to share personal data from our customers.  The usename doesn't pop-up anywhere in Confluence, only at the autosuggest drop down (@mention and share), so I don't agree with the argument that user IDs and the link to the users is unavoidable.  Someone at Atlassian support came with the idea to mask it with a javascript. We haven't looked into it yet, but we will. 

            VitalyA added a comment -

            This is not a security issue as I mentioned above. The reporter seems to be asking to disable any linking to user pages, which would be a significant restriction of existing functionality.

            User IDs in links to user pages are unavoidable.

            VitalyA added a comment - This is not a security issue as I mentioned above. The reporter seems to be asking to disable any linking to user pages, which would be a significant restriction of existing functionality. User IDs in links to user pages are unavoidable.

            Thomas added a comment -

            We actually use Shibboleth as our single sign-on system. Therefore, it actually is a security risk as the usernames are in use for many services and can be easily associated with specific people via the HTML code generated by the Atlassian Confluence software. Isn't there anything you could do?

            Thomas added a comment - We actually use Shibboleth as our single sign-on system. Therefore, it actually is a security risk as the usernames are in use for many services and can be easily associated with specific people via the HTML code generated by the Atlassian Confluence software. Isn't there anything you could do?

            VitalyA added a comment - - edited

            Can we have a mask on it?

            I don't think this is a security issue. The page is meant to contain links, which happen to use the IDs.

            VitalyA added a comment - - edited Can we have a mask on it? I don't think this is a security issue. The page is meant to contain links, which happen to use the IDs.

              Unassigned Unassigned
              yilinmo Yilin (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: