Details
-
Bug
-
Resolution: Won't Fix
-
High
-
None
-
5.0.3
-
None
-
5
-
5.1
-
Description
Current user specific dark feature values are not javascript escaped in the javascript context they exist in.
e.g. the value "' + eval(alert(1) ) ' +" (without the double quotes) appears like the following in the feature javascript context:
/**
- Dark features are features that can enabled and disabled per user via a feature key. Their main use is to allow
- in-development features to be rolled out to production in a low-risk fashion.
*/
(function ($) {
var featuresArray = ['' + eval(alert(1) ) + '','jira.frother.reporter.field','jira.user.darkfeature.admin','frother.assignee.field'];
var features = {}
$.each(featuresArray, function ()
);
AJS.DarkFeatures = {
isEnabled: function (key)
};
})(AJS.$);
Attachments
Issue Links
- is detailed by
-
JRASERVER-28153 The "user" Dark Features page is vulnerable to XSRF/csrf
- Closed