Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70859

Disallow HTML in custom field descriptions and list item values by default

XMLWordPrintable

    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem

      By default, Jira allows HTML in custom field descriptions and list item values. The configuration item that prevents this is in Jira Admin -> System -> Enable HTML in custom field descriptions and list item values, and is is Enabled by default.

      Justification

      This introduces scope for values to break the page in exciting ways - for example, adding <!-- break the rest of the page when the field is loaded. Actually, on Field Configuration and Custom Fields pages, this prevents the ability to edit to undo the breakage (aside from editing the database)

      Some customers require this, but, we should encourage it's disablement. Disabling it by default would help.

      Suggested Solution

      Disable this option by default

      from https://confluence.atlassian.com/jirasoftware/jira-software-8-7-x-upgrade-notes-987138245.html

      ... It will now be switched to OFF for new Jira installations and the upgraded ones that have never used it. ... We recommend that you keep this option disabled for security reasons.

            [JRASERVER-70859] Disallow HTML in custom field descriptions and list item values by default

            Thiago Masutti added a comment -

            Considering a description with HTML/JS content, we can use the following SQL queries to search where this could be used in your instance.

            ------- customfield table
select cf.* from customfield cf where cf.description like '%<%';

------- fieldconfigscheme table
select cf.customfieldtypekey,cf.cfname,fc.* from fieldconfigscheme fc join customfield cf on fc.fieldid='customfield_'||cf.id where fc.description like '%<%';

------- fieldlayoutitem table
select cf.customfieldtypekey,cf.cfname,fli.* from fieldlayoutitem fli join customfield cf on fli.fieldidentifier='customfield_'||cf.id where fli.description like '%<%';

------- fieldconfiguration table
select cf.customfieldtypekey,cf.cfname,fc.* from fieldconfiguration fc join customfield cf on fc.fieldid='customfield_'||cf.id where fc.description like '%<%';

            Thiago Masutti added a comment - Considering a description with HTML/JS content, we can use the following SQL queries to search where this could be used in your instance. ------- customfield table select cf.* from customfield cf where cf.description like '%<%' ; ------- fieldconfigscheme table select cf.customfieldtypekey,cf.cfname,fc.* from fieldconfigscheme fc join customfield cf on fc.fieldid= 'customfield_' ||cf.id where fc.description like '%<%' ; ------- fieldlayoutitem table select cf.customfieldtypekey,cf.cfname,fli.* from fieldlayoutitem fli join customfield cf on fli.fieldidentifier= 'customfield_' ||cf.id where fli.description like '%<%' ; ------- fieldconfiguration table select cf.customfieldtypekey,cf.cfname,fc.* from fieldconfiguration fc join customfield cf on fc.fieldid= 'customfield_' ||cf.id where fc.description like '%<%' ;

            Kate Nevenchannaya added a comment -

            Thank you Matt Doar for caring about your fellow admins! Just hit the same problem after upgrading a non-prod environment, and it took some time to figure things out. 

            Kate Nevenchannaya added a comment - Thank you Matt Doar for caring about your fellow admins! Just hit the same problem after upgrading a non-prod environment, and it took some time to figure things out. 

            Matt Doar added a comment -

            Hmm, looks like some Jira system fields use HTML in their descriptions JRASERVER-70909
            It would be helpful to show people how to find whether their custom fields have HTML in them before choosing to turn this on. A DB query might be a good start. The same query could be used to find any other system fields than Time Tracking that have this problem.

            Matt Doar added a comment - Hmm, looks like some Jira system fields use HTML in their descriptions JRASERVER-70909 It would be helpful to show people how to find whether their custom fields have HTML in them before choosing to turn this on. A DB query might be a good start. The same query could be used to find any other system fields than Time Tracking that have this problem.

            Andriy Yakovlev [Atlassian] added a comment -

            Hey mdoar2
            Good question!
            It will be switched to OFF for new Jira installations and the upgraded ones that have never used it. So in case you describe it nothing will change.

            Andriy Yakovlev [Atlassian] added a comment - Hey mdoar2 Good question! It will be switched to OFF for new Jira installations and the upgraded ones that have never used it. So in case you describe it nothing will change.

            Matt Doar added a comment -

            But if you're going to make it disabled by default, there needs to be some docs on how to detect whether you do have fields with HTML in their descriptions, and show you a way to fix that. Otherwise some one's upgrade is going to be a right pain finding this out

            Matt Doar added a comment - But if you're going to make it disabled by default, there needs to be some docs on how to detect whether you do have fields with HTML in their descriptions, and show you a way to fix that. Otherwise some one's upgrade is going to be a right pain finding this out

              drauf Daniel Rauf
              allewellyn@atlassian.com Alex [Atlassian,PSE]
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: