Security Reminder: Many JavaScript AUI API interpret strings as HTML

Example you have something like this:

var errorMessage  = // some error, like a failed request
var myFlag = AJS.flag({
    type: 'error',
    body: errorMessage
});

// or:

aui.message.error({
   content: errorMessage
})

This is dangerous if the message includes any user generated input or an maybe an error from a back-end, because those message strings are interpreted as HTML!

So, you have to ensure that content is static or has zero user input, or error messages you might not control. So we’ll usually have to do:

var error  = // some error, like a failed request
var myFlag = AJS.flag({
    type: 'error',
    body: AJS.escapeHtml(error)
});

// or:

aui.message.error({
   content: AJS.escapeHtml(error)
})

So as developer: Be aware of this. It is a nasty surprise!

For Atlassian: It to late for these APIs. However, for future APIs: JavaScript APIs should not interpret any string as HTML. I as a developer do not expect that. It ends up in XSS vulnerabilities in apps.
Our own apps got bitten by this a few times already.

PS: I do not know what exact Atlassian APIs suffer from this. When in doubt, double check.

1 Like