How do I enable HTML Macro?

This question is in reference to Atlassian Documentation: HTML Macro

I am the Admin for our site, and I went looking for this macro per the "Enabling the HTML Macro" instructions and could not find it. Is it no longer available?

2 answers

1 accepted

2 votes
Accepted answer

Hi Phil,

The HTML macro that was available for server isn't available on cloud.

However we've built a secure HTML macro as part of the Macro for Toolbox Cloud add-on which will let you embed HTML content into a page. Hope that helps!

@Tim Clipsham,

Thanks for the pointer. What exactly makes your macro secure in a way that the unavailable Confluence one isn't?

No worries. The original server macro embeds the content directly into the page itself but our add-on sandboxes your content inside an iframe. We have some more specifics under "Security" in our documentation.

Update: Our documentation has moved here: (I can't edit my prior post).

1 vote

For security reasons, the built-in HTML macro is not allowed to be enabled on Atlassian Cloud instances. This is a good thing because it makes your Atlassian Cloud Confluence safer.

However, that does not mean that you can't have a HTML Macro. Instead, to get a HTML Macro back you merely install an add-on from the marketplace that will provide it for you. Here is one for example:

Well I don't understand something, What makes it safer? Pay for it?

It is not that you have to pay for it that makes it safe. The problem with the HTML Macro, as it exists in Confluence Server, is that a malicious user could inject any arbitrary HTML you like into the page and perform any action that you like. That is why we block the HTML macro in our Cloud products. This is an acceptable tradeoff for Server because many Server and Data Center customers that are heavily data privacy conscious will put their server instance in a VPN.

The Atlassian App framework uses iframes, scopes and other mechanisms to block what a 3rd party app can, and cannot, do. This significantly restricts the surface area of harm that injecting arbitrary HTML can cause. So it is the fact that these HTML macros are implemented as Atlassian Apps at all than make them more secure.

Also, our App developers could put in even more safeguards again.

In short, Apps are pretty cool and we invest in making them secure. I hope that answers the question?

That's not solution. The solution is add the html/css and sanitize all inputs.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,083 views 17 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you