It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How do I enable HTML Macro?

This question is in reference to Atlassian Documentation: HTML Macro

I am the Admin for our site, and I went looking for this macro per the "Enabling the HTML Macro" instructions and could not find it. Is it no longer available?

2 answers

1 accepted

2 votes
Answer accepted

Hi Phil,

The HTML macro that was available for server isn't available on cloud.

However we've built a secure HTML macro as part of the Macro for Toolbox Cloud add-on which will let you embed HTML content into a page. Hope that helps!

@Tim Clipsham,

Thanks for the pointer. What exactly makes your macro secure in a way that the unavailable Confluence one isn't?

No worries. The original server macro embeds the content directly into the page itself but our add-on sandboxes your content inside an iframe. We have some more specifics under "Security" in our documentation.

Update: Our documentation has moved here: (I can't edit my prior post).

Like joseph.cook likes this

FYI company behind Macro Toolbox was acquired by Atlassian and they decided to discontinue this app. 

As alternative option, you can use our app HTML & Iframe Macro for Confluence

available in Marketplace.

For security reasons, the built-in HTML macro is not allowed to be enabled on Atlassian Cloud instances. This is a good thing because it makes your Atlassian Cloud Confluence safer.

However, that does not mean that you can't have a HTML Macro. Instead, to get a HTML Macro back you merely install an add-on from the marketplace that will provide it for you. Here is one for example:

Well I don't understand something, What makes it safer? Pay for it?

Like # people like this

It is not that you have to pay for it that makes it safe. The problem with the HTML Macro, as it exists in Confluence Server, is that a malicious user could inject any arbitrary HTML you like into the page and perform any action that you like. That is why we block the HTML macro in our Cloud products. This is an acceptable tradeoff for Server because many Server and Data Center customers that are heavily data privacy conscious will put their server instance in a VPN.

The Atlassian App framework uses iframes, scopes and other mechanisms to block what a 3rd party app can, and cannot, do. This significantly restricts the surface area of harm that injecting arbitrary HTML can cause. So it is the fact that these HTML macros are implemented as Atlassian Apps at all than make them more secure.

Also, our App developers could put in even more safeguards again.

In short, Apps are pretty cool and we invest in making them secure. I hope that answers the question?

That's not solution. The solution is add the html/css and sanitize all inputs.

Like # people like this

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

5,345 views 4 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you