Cross site scripting vulnerability
Issue #35
resolved
When Jira admin add a project role description with some HTML syntax like " onmouseover="alert('XSS')
, then this is rendered on the project role tab without escaping and hence treated as HTML code by the browser.
This is a potential security issue and should be fixed by enabling HTML encoding of the rendering of the project role description.
Comments (4)
-
reporter -
reporter - edited description
-
reporter - changed milestone to 2.6.5
- edited description
-
reporter - changed status to resolved
- Log in to comment
Fixed by adding
#enable_html_escaping()
to the velocity template for the rendering of the project role tab page.