Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Enable XSS protection in HTML or HTML include Macro

Umang I'm New Here Jan 12, 2021

Hello,

        We would like to use the HTML or HTML include macro for our confluence instance

https://confluence.atlassian.com/conf74/html-macro-1003128855.html

https://confluence.atlassian.com/conf74/html-include-macro-1003128854.html

 

Both of these macro pose the risk of XSS vulnerability. We are using version 7.4.1 . Is there a way to use these macros and avoid the risk of XSS. I read some older articles about disabling JS. Is this available in Server version 7.4.1 ?

 

Our use case is to be able to include Google Docs in the confluence. So if there is a suggestion for another macro or FREE solution to achieve inclusion of Google Docs without the use of HTML macro / risk of XSS, would be open to that suggestion as well.

 

 

1 answer

0 votes

Hi @Umang 

Both macros can make your environment vulnerable, even on the latest version of Confluence.

If security is must on your environment, it would be better to rely on a Supported App available on Atlassian Marketplace.

There are at least 3 options that may fit your use case: https://marketplace.atlassian.com/search?hosting=server&moreFilters=vendorSupported&product=confluence&query=google%20drive

 

Kind regards,
Thiago Masutti

Umang I'm New Here Jan 12, 2021

Hi @Thiago Masutti 

Thank you for the response. So is there no way to disable Javascript or script encoding or escaping which would stop execution of Javascript when using either of the HTML macros?

 

Alternatively, is there a way to enable the macros for specific users only ? 

 

Thank you for the link to the marketplace apps. However looks like they are all paid apps, which may not be an option for us right now.

 

Regards

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Announcing Team Calendars in Confluence Data Center

Hi Community! We're thrilled to share that Team Calendars for Confluence is now a built-in feature for Confluence Data Center releases 7.11 and beyond.  A long time favorite,  Team Cale...

125 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you