Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-28154

Javascript escape the value of "dark features" within the javascript context they are rendered out in

This issue is archived. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    Description

      Current user specific dark feature values are not javascript escaped in the javascript context they exist in.

      e.g. the value "' + eval(alert(1) ) ' +" (without the double quotes) appears like the following in the feature javascript context:

      /**

      • Dark features are features that can enabled and disabled per user via a feature key. Their main use is to allow
      • in-development features to be rolled out to production in a low-risk fashion.
        */
        (function ($) {
        var featuresArray = ['' + eval(alert(1) ) + '','jira.frother.reporter.field','jira.user.darkfeature.admin','frother.assignee.field'];

      var features = {}
      $.each(featuresArray, function ()

      { features[this] = true; }

      );

      AJS.DarkFeatures = {
      isEnabled: function (key)

      { return !!features[key]; }

      };
      })(AJS.$);

      Attachments

        Issue Links

          is detailed by

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-28153 The "user" Dark Features page is vulnerable to XSRF/csrf

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              dblack David Black
              Archiver:
              mandreacchio Michael Andreacchio

              Dates

                Created:
                Updated:
                Resolved:
                Archived: