Macros and rich text and XSS

Currently we are looking to have a macro using a static content macro defined in atlassian-connect.json like this:

 "staticContentMacros": [
...
        "outputType": "block",
        "bodyType": "rich-text",
...

This results in a rich text editor available for the user to change the macro content. During rendering we get the macro body from Atlassian.
Now my question is: Is the macro body from Atlassian always safe html? Do we need to escape the macro body in any way to mitigate XSS attacks?

1 Like

The macro body is in the XML-based storage format, which is sort of of superset of an XHTML fragment. When parsed and rendered by Confluence, it gets sanitized. Rather than take my word for it, though, I’d recommend adding some malicious HTML to the body you return from your static macro to prove to yourself that this is the case.

1 Like

@BobBergman Thank you. I already tried that, and the html I tried got escaped.
I’m looking for documentation on this, as I like to have a statement from Atlassian.

2 Likes

Hi @marc and @BobBergman,

Thanks for raising this. I have created https://jira.atlassian.com/browse/CONFCLOUD-71145. You may like to review it to ensure I’ve captured the issue correctly.

Regards,
Dugald

3 Likes

@dmorrow Thank you for opening an issue on this!

2 Likes