-
Suggestion
-
Resolution: Fixed
-
None
-
None
-
1
-
3
-
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Problem Definition
Currently you can use JavaScript in any description field. This can modify JIRA behaviour in very strange way. There is no way to trace that from configuration point of view. More over you can't see added JavaScript code in Debugger, which makes troubleshooting very hard.
Suggested Solution
- Disable JavaScript in Description field by default
- Make special configuration option to enable JavaScript in that field
- Enable HTML in custom field descriptions and list item values.
- wrap the code in
<script type='text/javascript'> ... //# sourceURL= <GENERATED_PLACE_HOLDER>.js </script>
- Make UI/cli report which shows list of fields with JavaScript
Notes
Starting from Jira 8.7.0, we will switch the default option of "Enable HTML in custom field descriptions and list item values" to OFF - see JRASERVER-70858, JRASERVER-70859
Workaround
Partial, add line to your JavaScript code //# sourceURL= <GENERATED_PLACE_HOLDER>.js, so it will be visible to debugger.
- is related to
-
JRASERVER-70858 Stored XSS in Add Field module - CVE-2019-20900
- Closed
- relates to
-
JRASERVER-70859 Disallow HTML in custom field descriptions and list item values by default
- Closed
-
JRASERVER-65600 As an JIRA Administrator I want to disable all JavaScript in JIRA input except JIRA banner
- Gathering Interest
- mentioned in
-
Page Loading...