-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
1
-
2
-
Problem Definition
User can add/inject JavaScript in different places in JIRA, eg:
- Customfields description
- FieldConfiguration description
That will break UI in very unpredictable way. This is extremely hard to troubleshoot.
Suggested Solution
Add option to prevent JavaScript from being injected into text fields and make it default.
Only allowed place should be JIRA Admin banner, since it is controlled by JIRA Admin.
Workaround
Review DB manually and check for "script text/javascript" text
- is related to
-
JRASERVER-69293 HTML in custom field descriptions doesn't work on the Issue View
- Closed
-
JRASERVER-44458 Using JavaScript in description field should require explicit configuration
- Closed