-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 8.5.8, 8.18.1, 8.19.0
-
Component/s: Login
-
8.05
-
1
-
Severity 3 - Minor
-
0
Issue Summary
We can customise the login message via <JIRA_INSTALL>/atlassian-jira/WEB-INF/classes/com/atlassian/jira/web/action/JiraWebActionSupport.properties.
Customised the message with image (place the image in <JIRA_INSTALL>/images/icons) with HTML tags. The image is displayed accordingly when dashboard is first loaded but the customised message is escaped after the invalid login resulting the HTML tags being ignored.
First loaded:
After invalid login:
This is only happening with login gadget, not the login page.
Steps to Reproduce
- Customise the login message with image HTML tags (placing the image in <JIRA_INSTALL>/images/icons) via <JIRA_INSTALL>/atlassian-jira/WEB-INF/classes/com/atlassian/jira/web/action/JiraWebActionSupport.properties.
- Restart Jira
- Test the login gadget with invalid credentials.
Expected Results
The image with the customised message is displayed accordingly.
Actual Results
The HTML tags is escaped and the HTML tags are displayed as it is.
Workaround
Tracing where the gadget.login.notmembernotpublic message is used led us to login.soy:
{if $isPublicMode}
<div class="field-group" id="publicmodeon">
<div id="publicmodeonmsg">
{getText('gadget.login.notmember', '<a id="signup" href="' + contextPath() + '/secure/Signup!default.jspa" tabindex="-1" target="_parent">', getText('gadget.login.notmember.signup'), '</a>')|noAutoescape}
</div>
</div>
{elseif $adminFormOn}
<div class="field-group" id="publicmodeooff">
<div id="publicmodeoffmsg">
{getText('gadget.login.notmembernotpublic', getText('common.concepts.contact.administrator', '<a id="contact-admin" href="' + contextPath() + '/secure/ContactAdministrators!default.jspa">', '</a>'))|noAutoescape}
</div>
</div>
{else}
<div class="field-group" id="publicmodeooff">
<div id="publicmodeoffmsg">
{getText('gadget.login.notmembernotpublic', getText('common.concepts.contact.administrator', '', ''))}
</div>
</div>
{/if}
As we can see, the last message is missing noAutoescape.
The login.soy is embedded within <Jira-Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/jira-gadgets-plugin-<version>.jar.
Follow the below steps to rectify the issue:
- Extract the jira-gadgets-plugin-<version>.jar file:
jar xf jira-gadgets-plugin-8.5.8.jar
- Edit <Extracted_JAR>/static/dashboarditem/login/login.soy file to include noAutoescape with the last getText method:
{getText('gadget.login.notmembernotpublic', getText('common.concepts.contact.administrator', '', ''))|noAutoescape} - Create a new JAR container after modifying the files and name it the same as the original JAR file (e.g. jira-gadgets-plugin-<version>.jar).
jar cvfm jira-gadgets-plugin-8.5.8.jar META-INF/MANIFEST.MF ./*
- Replace the JAR file in <Jira-Install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins
- Restart Jira
