@MaciejSzarecki, good to know. I checked my app against Velocity method allowlist and found 2 things:
(1) I was surprised that I had to allowlist my actions’s get...() and is...() methods also, because that is not necessary for Confluence 10. I see on https://developer.atlassian.com/server/framework/atlassian-sdk/configuring-the-velocity-allowlist/#auto-allowlisting that this is indeed listed as a Confluence-only feature, but I wonder why this is not also provided for Jira? Doesn’t this sentence from the docu imply that it should be like that:
Ensure any data your Velocity templates require are readily accessible from your Action classes. This will avoid the need to maintain an extensive allowlist.
I would much appreciate it, because then I can get rid of 28 of 66 allowlist-entries which is 42%.
Fyi, also I had to add Jira’s own com.atlassian.jira.web.action.JiraWebActionSupport#isInlineDialogMode(), which is even more confusing.
(2) Please add javax.servlet.http.HttpServletRequestWrapper’s getters to the global allowlist, specifically #getRequestURI(). This is already the case for Confluence 10, for comparison.
In general, I suggest to align Jira10’s global allowlist with Confluence10’s, since Confluence10 already incorporated tons of feedback on that topic and is therefore more complete, see their CDAC-thread.