It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Sign up for free Log in

Atlassian Community Hero Image Collage

Community
Products
Confluence
Questions
HTML is not parsed from a User Macro in Confluence 7.11.0

HTML is not parsed from a User Macro in Confluence 7.11.0

We recently upgraded from Confluence Server 7.6.2 to 7.11.0, and we noticed that one of our user macros stopped rendering HTML.

Here is a cut down user macro that shows the exact issue

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($output="<b>Bold Test from var</b>")
$output

It is outputting the following now

Bold Test <b>Bold Test from var</b>

But it should be outputting

Bold Test Bold Test from var

Any ideas how to fix the macro again? Is there a velocity function I need to call?

3 answers

1 accepted

1 vote

Answer accepted

I raised a support ticket and they told me that the variable needs to end in "Html", so that it doesn't get escaped.

So the below code makes it work.

## This is an example macro
## @noparams

<b>Bold Test</b>
#set($outputHtml="<b>Bold Test from var</b>")
$outputHtml

It looks like this has been this way for around 10 years in plugins as seen here: https://community.atlassian.com/t5/Answers-Developer-Questions/How-to-prevent-velocity-escape-html/qaq-p/464152

I didn't read the above answer properly and saw the "@HtmlSafe" annotation instead, and so I thought I couldn't fix it that way, oh well.

Turns out it is documented in the developer confluence docs for plugins: https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/#reference-naming-convention but not in the user macro template syntax: https://confluence.atlassian.com/doc/user-macro-template-syntax-223906130.html

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Support told me it's been this way since v7.7.2 due to a security fix

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Woah!!! Good to know. Thanks for posting.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Thanks for running this to ground. We haven't moved to 7 yet (held back by plugin changes), so good to know as this will bite me in the rear later on. ;-)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Could you try like this?

#set(${output}="<b>Bold Test from var</b>")
${output}

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Makes no difference.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

It looks like "#set(${var}" is not valid only "#set($var" works.

By works, I mean valid velocity template, not works as in solves my problem.

EDIT: clarity.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Did the render options for the user macro somehow change, so that the output is not rendered?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Are you talking about "Macro Body Processing"? This macro is configured with "No macro body", as the macro doesn't use a body. Regardless I tried all the options, and it didn't make any difference.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS