Uploaded image for project: 'SR for Jira - Development'
  1. SR for Jira - Development
  2. SRJIRA-4695

row results from database picker should be html-encoded rather than sanitised

    Details

    • Type: Bug
    • Status: To Do (View Workflow)
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Critical Points:
      0

      Description

      Currently they are sanitised, meaning any malicious javascript is stripped from them.

      This can lead to problems when the database result is something like <test - in this case nothing will be shown.

      When this is fixed the row result will be returned as <test. (This is not displayed properly in Jira, but the < should be & l t ; without spaces.

      The reason this is not done automatically is because some users are creating HTML with their SQL query, eg select '<b>' || name || '</b>' from foo.

      This means we can't automatically protect against XSS attacks whilst guaranteeing that all data will be displayable. (Currently we are protecting against XSS attacks at the cost that some strings may not be displayed).

      Any users formatting results in this way should switch to using groovy to customise the displayed value https://scriptrunner.adaptavist.com/latest/jira/script-fields/database-picker.html#_customising_the_displayed_value. as soon as possible.

      When this is fixed in ScriptRunner 7, those customisations will not continue to work.

        Attachments

          Issue Links

            Structure

              Activity

                People

                Assignee:
                Unassigned
                Reporter:
                jechlin Jamie Echlin
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:

                    Structure Helper Panel