How to identify fields with custom Javascript in their description in Jira Data Center / Server
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
As an admin, you may want to find which custom fields have custom scripts in their description. It may be useful to track code that could be interfering with page rendering, page performance or missing content.
These custom javascripts in field descriptions are often used to tweak visual elements in Jira when the fields are present, but can also change much more appearance and even fields behavior in Jira.
Environment
All versions of Jira Core 7.x, 8.x and 9.x.
Solution
The following SQL queries will show all fields that potentially have custom javascript code in them. There may be false-positives as the comparisons match words like "script", "html" and "css":
These queries were written and tested on PostgreSQL. If you're having issues executing them on a different DB product you may need to tweak the syntax accordingly.
The following query checks the descriptions of custom fields for scripts:
select * from customfield
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';Custom fields can also have alternate descriptions specified by field configurations:
select * from fieldlayoutitem
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';The following queries check for any scripts in custom field contexts:
select * from fieldconfigscheme
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';
select * from fieldconfiguration
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';It can also be worth checking the announcement banner for any scripts, as it's a known potential cause of interference when it contains custom scripts or HTML code:
select * from propertytext
where id in (select id from propertyentry
where property_key='jira.alertheader');Here are the same queries above all in one block for easier copying and pasting:
select * from customfield
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';
select * from fieldlayoutitem
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';
select * from fieldconfigscheme
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';
select * from fieldconfiguration
where lower(cast(description as varchar)) like '%<javascript%'
or lower(cast(description as varchar)) like '%<script%'
or lower(cast(description as varchar)) like '%html%'
or lower(cast(description as varchar)) like '%css%';
select * from propertytext
where id in (select id from propertyentry
where property_key='jira.alertheader');
- The configuration for "Enable HTML in custom field descriptions and list item values" is now disabled by default since Jira 8.7 as per JRASERVER-70859 - Disallow HTML in custom field descriptions and list item values by default.