How do I enable HTML Macro?

This question is in reference to Atlassian Documentation: HTML Macro

I am the Admin for our site, and I went looking for this macro per the "Enabling the HTML Macro" instructions and could not find it. Is it no longer available?

2 answers

1 accepted

2 votes
Accepted answer

Hi Phil,

The HTML macro that was available for server isn't available on cloud.

However we've built a secure HTML macro as part of the Macro for Toolbox Cloud add-on which will let you embed HTML content into a page. Hope that helps!

@Tim Clipsham,

Thanks for the pointer. What exactly makes your macro secure in a way that the unavailable Confluence one isn't?

No worries. The original server macro embeds the content directly into the page itself but our add-on sandboxes your content inside an iframe. We have some more specifics under "Security" in our documentation.

Update: Our documentation has moved here: (I can't edit my prior post).

1 vote

For security reasons, the built-in HTML macro is not allowed to be enabled on Atlassian Cloud instances. This is a good thing because it makes your Atlassian Cloud Confluence safer.

However, that does not mean that you can't have a HTML Macro. Instead, to get a HTML Macro back you merely install an add-on from the marketplace that will provide it for you. Here is one for example:

Well I don't understand something, What makes it safer? Pay for it?

It is not that you have to pay for it that makes it safe. The problem with the HTML Macro, as it exists in Confluence Server, is that a malicious user could inject any arbitrary HTML you like into the page and perform any action that you like. That is why we block the HTML macro in our Cloud products. This is an acceptable tradeoff for Server because many Server and Data Center customers that are heavily data privacy conscious will put their server instance in a VPN.

The Atlassian App framework uses iframes, scopes and other mechanisms to block what a 3rd party app can, and cannot, do. This significantly restricts the surface area of harm that injecting arbitrary HTML can cause. So it is the fact that these HTML macros are implemented as Atlassian Apps at all than make them more secure.

Also, our App developers could put in even more safeguards again.

In short, Apps are pretty cool and we invest in making them secure. I hope that answers the question?

That's not solution. The solution is add the html/css and sanitize all inputs.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Feb 06, 2019 in Confluence

Try out the new editing experience

Hi team, I’m Avinoam, a product manager on Confluence Cloud, and today I’m really excited to let the Community know that all customers can now try out the new editing experience and see some of the ...

1,027 views 51 8
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you