We recently upgraded from Confluence Server 7.6.2 to 7.11.0, and we noticed that one of our user macros stopped rendering HTML.
Here is a cut down user macro that shows the exact issue
## This is an example macro
## @noparams
<b>Bold Test</b>
#set($output="<b>Bold Test from var</b>")
$output
It is outputting the following now
Bold Test <b>Bold Test from var</b>
But it should be outputting
Bold Test Bold Test from var
Any ideas how to fix the macro again? Is there a velocity function I need to call?
I raised a support ticket and they told me that the variable needs to end in "Html", so that it doesn't get escaped.
So the below code makes it work.
## This is an example macro
## @noparams
<b>Bold Test</b>
#set($outputHtml="<b>Bold Test from var</b>")
$outputHtml
It looks like this has been this way for around 10 years in plugins as seen here: https://community.atlassian.com/t5/Answers-Developer-Questions/How-to-prevent-velocity-escape-html/qaq-p/464152
I didn't read the above answer properly and saw the "@HtmlSafe" annotation instead, and so I thought I couldn't fix it that way, oh well.
Turns out it is documented in the developer confluence docs for plugins: https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/#reference-naming-convention but not in the user macro template syntax: https://confluence.atlassian.com/doc/user-macro-template-syntax-223906130.html
Support told me it's been this way since v7.7.2 due to a security fix
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Woah!!! Good to know. Thanks for posting.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for running this to ground. We haven't moved to 7 yet (held back by plugin changes), so good to know as this will bite me in the rear later on. ;-)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This just bit me when I upgraded our non-prod Confluence. I totally forgot about this ... which I apparently commented on a year ago. I've done a bit of testing and the html at the end of the variable can be any casing. So these all work.
Also, any variables just named html/HTML/HtML/etc work. I think I may add a disclaimer about this in m Enhanced User Macro Editor app.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks - this was a very quick fix to something that's been bugging me since a recent upgrade knackered the formatting on some of our macros...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did the render options for the user macro somehow change, so that the output is not rendered?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are you talking about "Macro Body Processing"? This macro is configured with "No macro body", as the macro doesn't use a body. Regardless I tried all the options, and it didn't make any difference.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Could you try like this?
#set(${output}="<b>Bold Test from var</b>")
${output}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It looks like "#set(${var}" is not valid only "#set($var" works.
By works, I mean valid velocity template, not works as in solves my problem.
EDIT: clarity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.