Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Summary

In order to enhance security while using HTML Include Replace, a configuration page has been implemented which provides the Administrator with control over the accessibility of the Macro.

Warning

Confluence 7.14.0 issue:

  • fails to render values under the Whitelisted URL table. To fix this issue, you will need to upgrade the confluence to the 7.14.1 version.

Relates to - https://jira.atlassian.com/browse/CONFSERVER-73757?src=confmacro&error=login_required&error_description=Login+required&state=d9277958-fbe9-475d-8974-4a8b8668209c

Configuration Fields

Field

Description

Exclude scripts

This is the global setting for disabling Scripting to be used by the Macro. By setting this field checked, it will result in exclusion of scripts within the URL provided.

Custom error message

custom error message is encountered explicitly when the user is accessing a non-white-listed URL. The purpose of this is to provide information as to whom to contact/reason for the error. 

Important: Default message will be used when accessing the configure screen first time or when the field value is not provided.

Default message: xhtml+html-include-replace; The URL specified is not whitelisted. Please speak to a system administrator.

Full URL

This is where the URL is specified.

Plain or Regex

While specifying the URL, you have to select either Plain or Regex type.

Sort by

Allows you to sort the list by the following criteria:

  • A to Z

  • Z to A

  • Ascending ID

  • Descending ID

Example 1

I want to access the http://localhost URL by White listing it and disable scripting to enhance security. If the user tries to access a non-white-listed URL, I want to display my custom error message.Accessing localhost in browser (the URL contains 6 scripts in total as shown in the console):

Image Removed

Script Exclusion + Custom Error Message and White-listed URL has been set (Plain type):

Image ModifiedImage Modified

Accessing localhost in browser:

...

Accessing localhost in the Macro:Image Removed

...

Console output:Image Removed

...

Even with Include Scripts set to true does not override the setting of Exclude Scripts (set to True) in the Configuration.

Console output once the Exclude Scripts is set to False under Preview mode:

Image Removed

...

Accessing a non-white-listed URL:

WhiteListed URLs and Macro:

Image Modified
Image Removed
Image Added