Does Jira sanitize valid output?

Hi,

It looks like Jira removes the output sent from an authenticated servlet, depending on the file extension in the URL.

Example:

http://localhost:2990/jira/plugins/servlet/test/README.**md**

No data on the browser because Jira removes it from the ServletOutputStream.

However, renaming the file from .md to .js works:

http://localhost:2990/jira/plugins/servlet/test/README.**js**

Please watch the picture:

Just the same test conditions. Only the file extension changed.

Is this a known issue? Does Jira sanitize/remove the output depending on the file extension in the URL?

I saw that a X-AUSERNAME header is present when it does not work.

When the header is added to the servlet response, the second case stops working and the output is also removed, so it is reproducible.

When and why the X-AUSERNAME header is added?

Thanks,
Pablo.