Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-44458

Using JavaScript in description field should require explicit configuration

    XMLWordPrintable

Details

    • 1
    • 3
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      Currently you can use JavaScript in any description field. This can modify JIRA behaviour in very strange way. There is no way to trace that from configuration point of view. More over you can't see added JavaScript code in Debugger, which makes troubleshooting very hard.

      Suggested Solution

      1. Disable JavaScript in Description field by default
      2. Make special configuration option to enable JavaScript in that field
        • Enable HTML in custom field descriptions and list item values.
      3. wrap the code in 
        <script type='text/javascript'>
...
//# sourceURL= <GENERATED_PLACE_HOLDER>.js
</script>
      4. Make UI/cli report which shows list of fields with JavaScript

      Notes

      Starting from Jira 8.7.0, we will switch the default option of "Enable HTML in custom field descriptions and list item values" to OFF - see JRASERVER-70858, JRASERVER-70859

      Workaround

      Partial, add line to your JavaScript code //# sourceURL= <GENERATED_PLACE_HOLDER>.js, so it will be visible to debugger.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70858 Stored XSS in Add Field module - CVE-2019-20900

          • Low - Low priority issues
          • Closed
          relates to

          Suggestion - JRASERVER-70859 Disallow HTML in custom field descriptions and list item values by default

          • Closed

          Suggestion - JRASERVER-65600 As an JIRA Administrator I want to disable all JavaScript in JIRA input except JIRA banner

          • Gathering Interest
          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: