[TIME-135] XSS issues in the time sheet & pivot report gadgets
One of the JIRA Studio support engineers discovered some XSS vulnerabilities in the gadgets provided by the JIRA Timesheet Plugin:
- Change a user's fullname to something/><script>alert("user fullname -username");</script>
- Add the Timesheet gadget to a dashboard
- Configure it to show info from the above user
This should be fixed by ensuring that all values that are substituted into Velocity templates are HTML-encoded.
One convenient way to do that is to use the Atlassian Template Renderer plugin to invoke Velocity rather than using VelocityManager directly. ATR automatically encodes any interpolation that isn't marked as HTML-safe. It works similarly to Confluence anti-XSS mode: http://confluence.atlassian.com/display/CONFDEV/Anti-XSS+documentation
Docs on ATR:
- http://confluence.atlassian.com/display/DEVNET/Atlassian+Plugin+Development+Platform#AtlassianPluginDevelopmentPlatform-AtlassianTemplateRenderer
- http://confluence.atlassian.com/display/PLUGINFRAMEWORK/Atlassian+Template+Renderer
By tmoore/Tim Moore on Thu, 17 Feb 2011 21:00:33 -0800
Comments (4)
-
reporter -
reporter Fixed, use platinTextToHtml for user full name.
2.0:
Committed revision 159194
2.1:
Committed revision 159195Additionally show escaped user full name in group timesheet:
Committed revision 159196By azhdanov on Mon, 28 Mar 2011 17:05:47 -0700
-
reporter Thanks for the update! To clarify: are all of the related XSS issues resolved in version 2.1?
By tmoore on Mon, 28 Mar 2011 17:17:11 -0700
-
reporter - removed version
Removing version: 2.2.9 (automated comment)
- Log in to comment
Any update on this?
By tmoore on Tue, 1 Mar 2011 22:14:52 -0800