Javascript escape the value of "dark features" within the javascript context they are rendered out in

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • 5
    • 5.1

      Current user specific dark feature values are not javascript escaped in the javascript context they exist in.

      e.g. the value "' + eval(alert(1) ) ' +" (without the double quotes) appears like the following in the feature javascript context:

      /**

      • Dark features are features that can enabled and disabled per user via a feature key. Their main use is to allow
      • in-development features to be rolled out to production in a low-risk fashion.
        */
        (function ($) {
        var featuresArray = ['' + eval(alert(1) ) + '','jira.frother.reporter.field','jira.user.darkfeature.admin','frother.assignee.field'];

      var features = {}
      $.each(featuresArray, function ()

      { features[this] = true; }

      );

      AJS.DarkFeatures = {
      isEnabled: function (key)

      { return !!features[key]; }

      };
      })(AJS.$);

            Assignee:
            Unassigned
            Reporter:
            David Black
            Archiver:
            Michael Andreacchio

              Created:
              Updated:
              Resolved:
              Archived: