Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,291
Community Members
 
Community Events
165
Community Groups

HTML is not parsed from a User Macro in Confluence 7.11.0

We recently upgraded from Confluence Server 7.6.2 to 7.11.0, and we noticed that one of our user macros stopped rendering HTML.

Here is a cut down user macro that shows the exact issue

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($output="<b>Bold Test from var</b>")
$output

It is outputting the following now

Bold Test <b>Bold Test from var</b>

But it should be outputting

Bold Test Bold Test from var

Any ideas how to fix the macro again? Is there a velocity function I need to call?

3 answers

1 accepted

1 vote
Answer accepted

I raised a support ticket and they told me that the variable needs to end in "Html", so that it doesn't get escaped.

So the below code makes it work.

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($outputHtml="<b>Bold Test from var</b>")
$outputHtml

 It looks like this has been this way for around 10 years in plugins as seen here: https://community.atlassian.com/t5/Answers-Developer-Questions/How-to-prevent-velocity-escape-html/qaq-p/464152

I didn't read the above answer properly and saw the "@HtmlSafe" annotation instead, and so I thought I couldn't fix it that way, oh well.

Turns out it is documented in the developer confluence docs for plugins: https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/#reference-naming-convention but not in the user macro template syntax: https://confluence.atlassian.com/doc/user-macro-template-syntax-223906130.html

Support told me it's been this way since v7.7.2 due to a security fix

Woah!!! Good to know. Thanks for posting.

Bill Bailey Community Leader Feb 24, 2021

Thanks for running this to ground. We haven't moved to 7 yet (held back by plugin changes), so good to know as this will bite me in the rear later on. ;-)

This just bit me when I upgraded our non-prod Confluence. I totally forgot about this ... which I apparently commented on a year ago. I've done a bit of testing and the html at the end of the variable can be any casing. So these all work.

  • html
  • hTmL
  • Html
  • HTML
  • HtMl
  • HtML
  • etc.

Also, any variables just named html/HTML/HtML/etc work. I think I may add a disclaimer about this in m Enhanced User Macro Editor app.

0 votes
Bill Bailey Community Leader Feb 19, 2021

Did the render options for the user macro somehow change, so that the output is not rendered?

Are you talking about "Macro Body Processing"? This macro is configured with "No macro body", as the macro doesn't use a body. Regardless I tried all the options, and it didn't make any difference.

0 votes

Could you try like this?

#set(${output}="<b>Bold Test from var</b>")
${output}

Makes no difference.

It looks like "#set(${var}" is not valid only "#set($var" works.

By works, I mean valid velocity template, not works as in solves my problem. 

EDIT: clarity.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

729 views 5 21
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you