persistent xss in a user's username within mentions within comments

Type atlassian
Reporter dblack
Modified 2017-02-20T00:45:31


A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the <a> user mention link element. Hence, providing a persistent xss vector.

To reproduce this issue: 1. add or sign up as a user called: " onmouseover="alert(3)" 2. mention the user in an issue: [~" onmouseover="alert(3)"] 3. refresh the page 4. hover over the user's mention link 5. observe an alert prompt containing the value of 3 within it.