...
Excerpt |
---|
Enables arbitrary HTML pages to be pulled into Confluence and automatically have relative and site-specific links rewritten so that images, scripts and style-sheets load etc. |
XSS Attack Acceptance |
---|
The inclusion of content from other websites on Confluence pages is a security risk. Use if you trust all your users. Use of this app is at your own risk, whilst we can whitelist sites, and does have some support for blocking SOME standard scripts, we do not consider XSS attack proofs as an inherent security issue that must be fixed, as the list of XSS attacks is endless. |
Our response to XSS attack reports
...
Drivers for development
The Confluence HTML Macros include {html-include} which is neat way of pulling arbitrary content into Confluence. For me I have a sister Twiki that cant be imported into Confluence due to its dynamic data. The Atlassian plugin doesn't take account of relative URL's,
Example | Renders in Confluence as | Result |
---|---|---|
href="someplace/somefile.gif | href="http://confluencePAGE_URL/someplace/somefile.gif" | |
location="../../someplace/somefile.gif | href="http://confluencePAGE_URL/../../someplace/somefile.gif | |
href="/someplace/somefile.gif | href="http://confluenceSERVER_URL/someplace/somefile.gif" | |
An ajaxy/GWT application |
Info | |
---|---|
title | Attempting to get code adoptedThis plugin was a response to CONF-6567 and the low vote count it had, I;m currently attempting to get it adopted by Atlassian as it would be even better if this could take advantage of the 2.9.2+ site White-listing features in the Atlassian macro, which is currently not possible probably. |
...
Grab the latest stable jar (snapshots are not stable), upload to Confluence manually through the admin Plugin Page.
Usage(s)
No Formatcode |
---|
{html-include-replace:url=http://someplace/possiblysomedir/somefile.html} |
No Formatcode |
---|
{html-include-replace:url=http://someplace/possiblysomedir/somefile.html|container=iframe|width=400|height=400} |
Options | Example Value | Description | |
---|---|---|---|
replace1 | replace1=badtag | eg'replace' with unique (replacement) number suffixes, (subject of future refactor I'm sure) causes the whole of the 'badtag' to be removed, including its closing badtag, necessary if a given tag causes jtidy parse problems | |
engine | jtidy | optional parameter, enables different cleanup engines to be selected, default is Atlassian Fast Page Parser, other options include: 'jtidy' and 'neko' | |
includeStyles | true | Styles (.css) referenced via href= attributes are dynamically loaded into page from the source server IS a very real risk of collisions with Confluence CSS names, styling of Confluence may be adversely affectged. | |
includeScripts | true | Scripts (.js) referenced via href= attributes are dynamically loaded into page from the source server | |
container | none|div|iframe | defines whether a container element should wrap included elements. In the case of IFrame, this totally separates content | |
width | 400 | 50% | sets the width of the IFrame if used |
height | 500 | 50% | sets the height of the IFrame if used |
style | 'scrolling: auto; align: right' | any CSS styles to be applied |
Example
CNN in a box:
No Formatcode |
---|
{html-include-replace:url=http://www.cnn.com|includeStyles=true} |
Gallery
Gallery | ||||
---|---|---|---|---|
|
Version History
? |
|
---|---|
0.5 |
|
0.4 |
|
0.3 |
|
Known Issues
Legacy Issues
No Formatcode |
---|
||Completed||Priority||Locked||CreatedDate||CompletedDate||Assignee||Name|| |F|M|F|1233054166753| |matus.ferko|Replacements not done with regex, only works for 'plain' tags, needs regexp'ing| |F|M|F|1233078083387| |javahollic|Wonder about how to filter dynamically loaded content that may already have been loaded (eg confluence .js libraries), also figure out how to make CSS sheets loaded _not_ take precendence over Confluence loaded styles| |F|M|F|1233156937148| |javahollic|It will not work with _every_ web page in the world, wellformed markup will help.| |F|M|F|1233156953376| |javahollic|Inline scripts and styles are not yet supported| |
IFrame blocked
Some websites have frameworks in place to prevent their web pages from being loaded in an IFrame for a number of reasons such as preventing clickjacking attacks. As such it is not possible to load these pages in an IFrame and must instead be loaded in a ‘div’.
EULA
This software is licensed under the provisions of the Standard EULA from the Atlassian Marketplace Terms of Use as a Marketplace Product.
...