...
| Excerpt |
|---|
Enables arbitrary HTML pages to be pulled into Confluence and automatically have relative and site-specific links rewritten so that images, scripts and style-sheets load etc. |
...
...
| XSS Attack Acceptance |
|---|
The inclusion of content from other websites on Confluence pages is a security risk. Use if you trust all your users. |
...
Use of this app is at your own risk, whilst we can whitelist sites, and does have some support for blocking SOME standard scripts, we do not consider XSS attack proofs as an inherent security issue that must be fixed, as the list of XSS attacks is endless. |
Our response to XSS attack reports
As of 24 SEP 2019, any/all XSS related attacks that are reported against HTMLIR will not be considered as a Security Issue requiring rectification, but will be accepted as feedback, which may or may not be used to improve the product moving forward. Atlassian is in agreement, feel free to query Atlassian Support and refer https://ecosystem.atlassian.net/servicedesk/customer/portal/14/DEVHELP-3306.
Configuration page
From version 1.4.2, we've addressed additional functionality to aid the security for this Macro. This provides the Administrator with control over the URLs which are accessible via White-listing and excluding scripts from the source code. For more information on this, please refer to Configuration page - Security Enhancement.
...