Active Objects not working in Jira 9.0.0 Velocity Templates

Hi everyone,
I updated our Jira Version from 8.16.1 to 9.0 and it caused problems with Active Objects in Velocity templates. Before I was just transferring a list of Active Objects as context parameter and iterating through it with a for each loop in the template:

        #foreach($config in $configs)
        <tr>
            <td>$config.getID()</td>
            <td>$config.getKey()</td>
            <td>$config.getConfig()</td>
            <td><input type="submit" class="delete-config" data-id="$config.getID()" name="submit" value="Delete"/></td>
            <td><a href="config?actionType=edit&id=$config.getID()" class="edit-config">Edit</a></td>
        </tr>
        #end

The issue is now that it doesn’t get rendered with the new Jira Version anymore, while it works fine with the previous version.

activeobjects691×138 5.9 KB

I currently use a workaround where I’m transferring every value in a separate String list to avoid Active Objects, but I really would prefer a “cleaner” solution.

Hi @CarolineW,

Looking at other posts, it seems there has been a change to not allow AO to be used directly in a Velocity template. Some comments include

• Jira 9.0 has a release candidate! - #64 by JonaIttermannDecadis
• Jira 9.0 has a release candidate! - #79 by AriesTriputranto

And it’s likely the workaround documented here explains what happened

• https://jira.atlassian.com/browse/JRASERVER-71733

these changes were made in order to limit potential template injection vulnerabilities

Regards,
James.

Hi CarolineW,

Can you help me on how did you transfer every value in a separate string. I’m facing same issue. I’m able to transfer only one column values.

Hi, this answer might come a bit late and I’m sure you have already solved it yourself. What I meant is that instead of transferring a list of Active Objects via your Servlet you can get the values from those in your Servlet, put them into ArrayLists and than return those to your template.