Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-21965

Replace unsafe text gadget

XMLWordPrintable

    • 18
    • 72
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Atlassian Update - 23 April 2015

      Hi everyone,

      There is an add-on from Atlassian Labs that provides a rich text dashboard gadget for JIRA Cloud. You can find it by searching for "rich text gadget" in the Find New Add-ons page on your JIRA Cloud instance or getting it from the Atlassian Marketplace.

      This add-on is not officially supported by Atlassian.

      Please remember that jira.atlassian.com is one of many inputs for the JIRA roadmap. You can learn more about our process here.

      I understand that our decision may be disappointing. Please don't hesitate to contact me if you have any questions.

      Regards,
      Dave Meyer
      dmeyer@atlassian.com

      The text gadget can make JIRA vulnerable to XSS attacks because it allows arbitrary html, which is why it is disabled by default.

      A wiki rendering replacement could cater to the needs of an arbitrary html gadget without the danger. Custom html could still be added to the wiki gadget where required through the creation of macro plugins for JIRA's wiki renderer.

            [JRASERVER-21965] Replace unsafe text gadget

            Mark Sim added a comment -

            where's the fix for this Atalssian? 

            The text gadget can make JIRA vulnerable to XSS attacks because it allows arbitrary html, which is why it is disabled by default.A wiki rendering replacement could cater to the needs of an arbitrary html gadget without the danger. Custom html could still be added to the wiki gadget where required through the creation of macro plugins for JIRA's wiki renderer.

            Mark Sim added a comment - where's the fix for this Atalssian?  The text gadget can make JIRA vulnerable to XSS attacks because it allows arbitrary html, which is why it is disabled by default .A wiki rendering replacement could cater to the needs of an arbitrary html gadget without the danger. Custom html could still be added to the wiki gadget where required through the creation of macro plugins for JIRA's wiki renderer.

            Vladimir added a comment -

            Yes it will be very useful.

            I do not understand why Jira dashboard does not know this basic features.

            If you see to any other dashboard applications they can in the basic settings to change these:

            • text
            • labels
            • color
            • titles
            • size

            The Jira does not know such a simple things. It can do only sizing and in very simple way. I think Dashboards in Jira are very sloppy! And it takes nearly 5 years without changing!!!

             

            Vladimir added a comment - Yes it will be very useful. I do not understand why Jira dashboard does not know this basic features. If you see to any other dashboard applications they can in the basic settings to change these: text labels color titles size The Jira does not know such a simple things. It can do only sizing and in very simple way. I think Dashboards in Jira are very sloppy! And it takes nearly 5 years without changing!!!  

            Tom added a comment -

            A new text gadget for jira server which does not cause any security problems would be extremely helpful and useful.

            Tom added a comment - A new text gadget for jira server which does not cause any security problems would be extremely helpful and useful.

            mironym added a comment -

            +1. keeping the text gadget to allow only plain text would be already better. removing such unsafe text widget entirely is even better than the current situation -> we are able to turn it on, but it is inherently not secure - no, thanks.

            mironym added a comment - +1. keeping the text gadget to allow only plain text would be already better. removing such unsafe text widget entirely is even better than the current situation -> we are able to turn it on, but it is inherently not secure - no, thanks.

            Tom Tabruyn added a comment -

            Thanks for the pointer to the add-on in Labs. Too bad it gets omitted when we use "View as wallboard" - so it is still not transferring onto our TV display.

            Tom Tabruyn added a comment - Thanks for the pointer to the add-on in Labs. Too bad it gets omitted when we use "View as wallboard" - so it is still not transferring onto our TV display.

            Dave Meyer added a comment -

            Hi,

            There is an unsupported add-on from Atlassian Labs that provides a rich text dashboard gadget for JIRA Cloud. You can find it by searching for "rich text gadget" in the Find New Add-ons page on your JIRA Cloud instance or getting it from the Atlassian Marketplace.

            Dave Meyer

            Senior Product Manager, JIRA

            Dave Meyer added a comment - Hi, There is an unsupported add-on from Atlassian Labs that provides a rich text dashboard gadget for JIRA Cloud. You can find it by searching for "rich text gadget" in the Find New Add-ons page on your JIRA Cloud instance or getting it from the Atlassian Marketplace . Dave Meyer Senior Product Manager, JIRA

            Eli Mata added a comment -

            Any News on this?

            Eli Mata added a comment - Any News on this?

            Tank Monitoring SkyBitz added a comment -

            I've evaluated the Introduction Gadget and it does not meet our needs. Please inform me when you resolve the security issues with your Text Gadget because we are more interested in it.

            Tank Monitoring SkyBitz added a comment - I've evaluated the Introduction Gadget and it does not meet our needs. Please inform me when you resolve the security issues with your Text Gadget because we are more interested in it.

            Brendan Rollinson-Lorimer added a comment -

            I was also looking to have this work in the cloud.

            It would add a lot of value in providing the ability to add headings to more complex dashboards and link to external pages easily.

            My understanding is that there were some security concerns regarding XSS with the use of this gadget. However, restricting its use entirely doesn't seem like the best solution to the problem. At the very least, it would be nice for administrators to be able to add HTML-only content.

            Brendan Rollinson-Lorimer added a comment - I was also looking to have this work in the cloud. It would add a lot of value in providing the ability to add headings to more complex dashboards and link to external pages easily. My understanding is that there were some security concerns regarding XSS with the use of this gadget. However, restricting its use entirely doesn't seem like the best solution to the problem. At the very least, it would be nice for administrators to be able to add HTML-only content.

            Stephan Lenhart added a comment -

            To be able to create useful dashboards, we would need this feature again. Otherwise users just see a combination of controls, without any further explanation. So please enable this feature again! (Or replace it my another one that fulfills those requirements).

            Stephan Lenhart added a comment - To be able to create useful dashboards, we would need this feature again. Otherwise users just see a combination of controls, without any further explanation. So please enable this feature again! (Or replace it my another one that fulfills those requirements).

              Unassigned Unassigned
              chris@atlassian.com Chris Mountford
              Votes:
              180 Vote for this issue
              Watchers:
              113 Start watching this issue

                Created:
                Updated: