Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

HTML is not parsed from a User Macro in Confluence 7.11.0

We recently upgraded from Confluence Server 7.6.2 to 7.11.0, and we noticed that one of our user macros stopped rendering HTML.

Here is a cut down user macro that shows the exact issue

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($output="<b>Bold Test from var</b>")
$output

It is outputting the following now

Bold Test <b>Bold Test from var</b>

But it should be outputting

Bold Test Bold Test from var

Any ideas how to fix the macro again? Is there a velocity function I need to call?

3 answers

1 accepted

1 vote
Answer accepted

I raised a support ticket and they told me that the variable needs to end in "Html", so that it doesn't get escaped.

So the below code makes it work.

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($outputHtml="<b>Bold Test from var</b>")
$outputHtml

 It looks like this has been this way for around 10 years in plugins as seen here: https://community.atlassian.com/t5/Answers-Developer-Questions/How-to-prevent-velocity-escape-html/qaq-p/464152

I didn't read the above answer properly and saw the "@HtmlSafe" annotation instead, and so I thought I couldn't fix it that way, oh well.

Turns out it is documented in the developer confluence docs for plugins: https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/#reference-naming-convention but not in the user macro template syntax: https://confluence.atlassian.com/doc/user-macro-template-syntax-223906130.html

Support told me it's been this way since v7.7.2 due to a security fix

Davin Studer Community Leader Feb 24, 2021

Woah!!! Good to know. Thanks for posting.

Bill Bailey Community Leader Feb 24, 2021

Thanks for running this to ground. We haven't moved to 7 yet (held back by plugin changes), so good to know as this will bite me in the rear later on. ;-)

0 votes

Could you try like this?

#set(${output}="<b>Bold Test from var</b>")
${output}

Makes no difference.

It looks like "#set(${var}" is not valid only "#set($var" works.

By works, I mean valid velocity template, not works as in solves my problem. 

EDIT: clarity.

0 votes
Bill Bailey Community Leader Feb 19, 2021

Did the render options for the user macro somehow change, so that the output is not rendered?

Are you talking about "Macro Body Processing"? This macro is configured with "No macro body", as the macro doesn't use a body. Regardless I tried all the options, and it didn't make any difference.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Announcing Team Calendars in Confluence Data Center

Hi Community! We're thrilled to share that Team Calendars for Confluence is now a built-in feature for Confluence Data Center releases 7.11 and beyond.  A long time favorite,  Team Cale...

177 views 0 6
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you