Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70859

Disallow HTML in custom field descriptions and list item values by default

    XMLWordPrintable

Details

    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem

      By default, Jira allows HTML in custom field descriptions and list item values. The configuration item that prevents this is in Jira Admin -> System -> Enable HTML in custom field descriptions and list item values, and is is Enabled by default.

      Justification

      This introduces scope for values to break the page in exciting ways - for example, adding <!-- break the rest of the page when the field is loaded. Actually, on Field Configuration and Custom Fields pages, this prevents the ability to edit to undo the breakage (aside from editing the database)

      Some customers require this, but, we should encourage it's disablement. Disabling it by default would help.

      Suggested Solution

      Disable this option by default

      from https://confluence.atlassian.com/jirasoftware/jira-software-8-7-x-upgrade-notes-987138245.html

      ... It will now be switched to OFF for new Jira installations and the upgraded ones that have never used it. ... We recommend that you keep this option disabled for security reasons.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70909 Disabling HTML renderer in custom field description breaks the system field description

          • Low - Low priority issues
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70877 Adding a description for the Attachments field from the field configuration, shows <p> tags in the create issue screen.

          • High - High priority issues
          • Closed

          Suggestion - JRASERVER-44458 Using JavaScript in description field should require explicit configuration

          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JSDSERVER-8446 Customfield description show <p> tag in bulk edit - detail screen

          • Highest - Our top priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-38866 Disallow HTML markup for select list custom field option values

          • Low - Low priority issues
          • Closed
          is caused by

          MNSTR-3355 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Wiki Page

          Wiki Page Loading...

          Activity

            People

              drauf Daniel Rauf
              allewellyn@atlassian.com Alex [Atlassian,PSE]
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: