Currently we are looking to have a macro using a static content macro defined in
atlassian-connect.json like this:
"staticContentMacros": [ ... "outputType": "block", "bodyType": "rich-text", ...
This results in a rich text editor available for the user to change the macro content. During rendering we get the macro body from Atlassian.
Now my question is: Is the macro body from Atlassian always safe html? Do we need to escape the macro body in any way to mitigate XSS attacks?