This results in a rich text editor available for the user to change the macro content. During rendering we get the macro body from Atlassian.
Now my question is: Is the macro body from Atlassian always safe html? Do we need to escape the macro body in any way to mitigate XSS attacks?
The macro body is in the XML-based storage format, which is sort of of superset of an XHTML fragment. When parsed and rendered by Confluence, it gets sanitized. Rather than take my word for it, though, I’d recommend adding some malicious HTML to the body you return from your static macro to prove to yourself that this is the case.
@BobBergman Thank you. I already tried that, and the html I tried got escaped.
I’m looking for documentation on this, as I like to have a statement from Atlassian.