Escape or filter script tags in "all activity" panel

2014-07-29T04:12:46
ID ATLASSIAN:JRASERVER-39318
Type atlassian
Reporter vosipov
Modified 2017-02-20T02:56:57

Description

We've got an external report about a third party plugin:

{quote} From: Vincent Ollivier <vincentollivier@hpjsolutions.com> Date: 29 July 2014 13:12 Subject: JIRA 6.2.5 / JEditor XSS Vulnerability To: security@atlassian.com

Hi,

Sorry for the email, I couldn't find the correct project to report this security issue. There's an XSS in JEditor comments and details textareas (https://marketplace.atlassian.com/plugins/com.jiraeditor.jeditor#support).

1) Add the following comment, in "source mode" : <iframe/src=javascript:alert(document.cookie)> 2) Delete the comment 3) Open the "all" tab under the activities panel.

You should get an alert box with a cookie displayed in it.

You can contact me if you need more informations.

Sincerely, Vincent OLLIVIER {quote}

I replied that the plugin needs to be fixed.

We need to do something with the output to "all" activities panel (and probably others?) to defend against sloppily coded third party plugins. Force encode? Strip script tags before outputting them?

Opinions welcome.