In November 2015, Jama Software performed a security change required to protect our customers in both the Cloud and the self-hosted environments. With this change, we switched from a blocklist for attachment types to an allowlist (you can read more information here). The allowlist defines a list of valid HTML values that the system can render. As a result, Jama Software will not render any text that appears to be HTML that is not included in the approved allowlist.
We have recognized that, with this setting there is some confusion around how we manage HTML tags in the application. As a result, we wanted to define clear guidelines on how the application manages this information. This guidance specifically affects the following plain-text fields:
- Predefined or custom text boxes
- Test steps, regardless of item type
Based on these changes, in plain text fields, users should expect to see the following behavior:
Test Step - Plain Text
Add |
Saved |
View |
Open to Edit |
Saved |
View |
hello <world hello |
hello |
hello |
hello <world hello |
hello <world hello |
hello |
hello <world> hello |
hello hello |
hello hello |
hello <world> hello |
hello <world> hello |
hello hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
Predefined Text Boxes and Custom Text Boxes - Plain Text
Add |
Saved |
View |
Open to Edit |
Saved |
View |
hello <world hello |
hello <world hello |
hello |
hello <world hello |
hello <world hello |
hello |
hello <world> hello |
hello <world> hello |
hello hello |
hello <world> hello |
hello <world> hello |
hello hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello < world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <1world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
hello <= world hello |
Test Steps and Text Boxes when HTML Tag Security Cleaner is enabled
Add |
Saved |
View |
Open to Edit |
Saved |
View |
hello <world hello |
hello |
hello |
hello <world hello |
hello |
hello |
hello <world> hello |
hello hello |
hello hello |
hello <world> hello |
hello hello |
hello hello |
Updating Plain Text to Rich Text
Switching to Rich Text from text does not change any values that are in the database; the system will render the values the same way as before. Editing opens the fields with the Rich Text Editor enabled. The editor will clean out anything it determines to be bad HTML. Editing and saving changes will result in the new version without any bracketed text.
Saved |
View |
Open to Edit |
Edit |
Saved |
hello <world hello |
hello |
hello |
hello <world hello |
hello <world hello |
hello <world> hello |
hello hello |
hello hello |
hello <world> hello |
hello <world> hello |
We hope this has been helpful. Please leave any questions or comments below.
Related to
- Authentication
- Relationships
- Administration
- Testing
- REST API and extensibility
- Reports
- Microsoft Word
- Microsoft Excel
- Installation
- Migration
- Coverage and traceability
- Traditional
- Jama Connect Interchange™
- Customer-Validated Cloud
- Security
- Diagram/Graph Editor
- Jama Software® Subscriptions Maintenance and Support Service Agreement
- Supported
- Item Configuration
- Deployment Migration
- Integrations
Comments
0 comments
Please sign in to leave a comment.