Macros and rich text and XSS

marc · November 16, 2020, 1:28pm

Currently we are looking to have a macro using a static content macro defined in atlassian-connect.json like this:

 "staticContentMacros": [
...
        "outputType": "block",
        "bodyType": "rich-text",
...

This results in a rich text editor available for the user to change the macro content. During rendering we get the macro body from Atlassian.
Now my question is: Is the macro body from Atlassian always safe html? Do we need to escape the macro body in any way to mitigate XSS attacks?

BobBergman · November 16, 2020, 5:44pm

The macro body is in the XML-based storage format, which is sort of of superset of an XHTML fragment. When parsed and rendered by Confluence, it gets sanitized. Rather than take my word for it, though, I’d recommend adding some malicious HTML to the body you return from your static macro to prove to yourself that this is the case.

marc · November 16, 2020, 7:20pm

@BobBergman Thank you. I already tried that, and the html I tried got escaped.
I’m looking for documentation on this, as I like to have a statement from Atlassian.

dmorrow · November 16, 2020, 10:57pm

Hi @marc and @BobBergman,

Thanks for raising this. I have created https://jira.atlassian.com/browse/CONFCLOUD-71145. You may like to review it to ensure I’ve captured the issue correctly.

Regards,
Dugald

marc · November 17, 2020, 10:50am

@dmorrow Thank you for opening an issue on this!