...
The inclusion of content from other websites on Confluence pages is a security risk. Use if you trust all your users.
We recently had a conversation with Atlassian Support on the topic of XSS issues (https://ecosystem.atlassian.net/servicedesk/customer/portal/14/DEVHELP-3306 , not public) Summary: Use of this app is at your own risk, whilst we can whitelist sites, and does have some support for blocking SOME standard scripts, we do not consider XSS attack proofs as an inherent security issue that must be fixed, as the list of XSS attacks is endless.
Configuration page
From version 1.4.2, we've addressed additional functionality to aid the security for this Macro. This provides the Administrator with control over the URLs which are accessible via White-listing and excluding scripts from the source code. For more information on this, please refer to Configuration page - Security Enhancement.
...