Heads up! ScriptRunner documentation is moving to docs.adaptavist.com. Adaptavist will keep this site up for a bit, but no future updates to documentation will be published here. ScriptRunner 6.20.0 will be the last release to link to scriptrunner.adaptavist.com for in-app help.

Build Your HTML

When you generate HTML, use MarkupBuilder for security purposes. MarkupBuilder encodes any malicious tags an editor might try to insert. Additionally, the tool ensures that the output of HTML is well-formed. For example, it checks for open tags, which would break the formatting of your page.

MarkupBuilder should be used instead of returning HTML strings whenever possible.

Sanitize Your HTML

If you need to create custom HTML from strings, parse the input HTML and filter it through a white list of permitted tags and attributes. This can be done using the Jsoup clean() method.

import org.jsoup.Jsoup
import org.jsoup.safety.Whitelist

def potentiallyUnsafeHtml = "<p>${parameters.userInput}</p>" //a malicious user could put HTML in the userInput parameter
def cleanHtml = Jsoup.clean(unsanitizedHtml, Whitelist.simpleText()) //This will clean out any potentially malicious HTML, while still allowing basic formatting tags
return cleanHtml
See the Jsoup Whitelist API documentation for more details on different whitelisting options.

Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.

Ask a question about ScriptRunner for JIRA, Bitbucket Server, or Confluence.

Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.