Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,293,291
Community Members
 
Community Events
165
Community Groups

HTML is not parsed from a User Macro in Confluence 7.11.0

Joel Pearson
Joel Pearson Feb 18, 2021

We recently upgraded from Confluence Server 7.6.2 to 7.11.0, and we noticed that one of our user macros stopped rendering HTML.

Here is a cut down user macro that shows the exact issue

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($output="<b>Bold Test from var</b>")
$output

It is outputting the following now

Bold Test <b>Bold Test from var</b>

But it should be outputting

Bold Test Bold Test from var

Any ideas how to fix the macro again? Is there a velocity function I need to call?

Answer
Watch
Like # people like this
818 views

3 answers

1 accepted

1 vote
Answer accepted
Joel Pearson
Joel Pearson Feb 22, 2021

I raised a support ticket and they told me that the variable needs to end in "Html", so that it doesn't get escaped.

So the below code makes it work.

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($outputHtml="<b>Bold Test from var</b>")
$outputHtml

 It looks like this has been this way for around 10 years in plugins as seen here: https://community.atlassian.com/t5/Answers-Developer-Questions/How-to-prevent-velocity-escape-html/qaq-p/464152

I didn't read the above answer properly and saw the "@HtmlSafe" annotation instead, and so I thought I couldn't fix it that way, oh well.

Turns out it is documented in the developer confluence docs for plugins: https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/#reference-naming-convention but not in the user macro template syntax: https://confluence.atlassian.com/doc/user-macro-template-syntax-223906130.html

View More Comments
Joel Pearson
Joel Pearson Feb 24, 2021

Support told me it's been this way since v7.7.2 due to a security fix

Like
Davin Studer
Davin Studer Feb 24, 2021

Woah!!! Good to know. Thanks for posting.

Like
Bill Bailey
Bill Bailey Community Leader Feb 24, 2021

Thanks for running this to ground. We haven't moved to 7 yet (held back by plugin changes), so good to know as this will bite me in the rear later on. ;-)

Like
Davin Studer
Davin Studer Apr 15, 2022

This just bit me when I upgraded our non-prod Confluence. I totally forgot about this ... which I apparently commented on a year ago. I've done a bit of testing and the html at the end of the variable can be any casing. So these all work.

  • html
  • hTmL
  • Html
  • HTML
  • HtMl
  • HtML
  • etc.

Also, any variables just named html/HTML/HtML/etc work. I think I may add a disclaimer about this in m Enhanced User Macro Editor app.

Like
Reply
0 votes
Bill Bailey
Bill Bailey Community Leader Feb 19, 2021

Did the render options for the user macro somehow change, so that the output is not rendered?

View More Comments
Joel Pearson
Joel Pearson Feb 19, 2021

Are you talking about "Macro Body Processing"? This macro is configured with "No macro body", as the macro doesn't use a body. Regardless I tried all the options, and it didn't make any difference.

Like
Reply
0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov Community Leader Feb 18, 2021

Could you try like this?

#set(${output}="<b>Bold Test from var</b>")
${output}

View More Comments
Joel Pearson
Joel Pearson Feb 19, 2021

Makes no difference.

Like
Joel Pearson
Joel Pearson Feb 19, 2021 • edited Feb 20, 2021

It looks like "#set(${var}" is not valid only "#set($var" works.

By works, I mean valid velocity template, not works as in solves my problem. 

EDIT: clarity.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
Community showcase
Meg Bailey
Meg Bailey
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

729 views 5 21
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you