hski / projectroletab-public / issues / #35 - Cross site scripting vulnerability — Bitbucket

Issue #35 resolved

Holger Schimanski repo owner created an issue 2021-12-16

When Jira admin add a project role description with some HTML syntax like " onmouseover="alert('XSS'), then this is rendered on the project role tab without escaping and hence treated as HTML code by the browser.

This is a potential security issue and should be fixed by enabling HTML encoding of the rendering of the project role description.

‌

Comments (4)

Holger Schimanski reporter
Fixed by adding #enable_html_escaping() to the velocity template for the rendering of the project role tab page.
- 2021-12-16T16:39:45+00:00
Holger Schimanski reporter
- edited description
- 2021-12-16T16:40:12+00:00
Holger Schimanski reporter
- changed milestone to 2.6.5
- edited description
- 2021-12-16T16:41:09+00:00
Holger Schimanski reporter
- changed status to resolved
- 2023-03-03T21:56:58+00:00
Log in to comment

Assignee: Holger Schimanski

Type: bug

Priority: major

Status: resolved

Milestone: 2.6.5

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!