Confluence HTML Include-Replace


XSS Attack Acceptance

XSS Attack Acceptance

The inclusion of content from other websites on Confluence pages is a security risk. Use if you trust all your users.

Use of this app is at your own risk, whilst we can whitelist sites, and does have some support for blocking SOME standard scripts, we do not consider XSS attack proofs as an inherent security issue that must be fixed, as the list of XSS attacks is endless.

Our response to XSS attack reports

As of 24 SEP 2019, any/all XSS related attacks that are reported against HTMLIR will not be considered as a Security Issue requiring rectification, but will be accepted as feedback, which may or may not be used to improve the product moving forward.  Atlassian is in agreement, feel free to query Atlassian Support and refer

Configuration page

From version 1.4.2, we've addressed additional functionality to aid the security for this Macro. This provides the Administrator with control over the URLs which are accessible via White-listing and excluding scripts from the source code. For more information on this, please refer to Configuration page - Security Enhancement.

Drivers for development

The Confluence HTML Macros include {html-include} which is neat way of pulling arbitrary content into Confluence. For me I have a sister Twiki that cant be imported into Confluence due to its dynamic data. The Atlassian plugin doesn't take account of relative URL's,


Renders in Confluence as



Renders in Confluence as








An ajaxy/GWT application


Attempting to get code adopted

This plugin was a response to CONF-6567 and the low vote count it had, I;m currently attempting to get it adopted by Atlassian as it would be even better if this could take advantage of the 2.9.2+ site White-listing features in the Atlassian macro, which is currently not possible probably.


This plugin loads page content from a given URL and performs a regular expression search/replace for many common tag attributes that have URL parameters, one for relative URL's and one for absolute URL's. It conveniently enables No / DIV / IFRAME 'container' elements around content. In the case of IFrame, this plugin doesn't do much except render the IFrame tag with the related source, as 'it just works'.


Grab the latest stable jar (snapshots are not stable), upload to Confluence manually through the admin Plugin Page.


1 {html-include-replace:url=http://someplace/possiblysomedir/somefile.html}

1 {html-include-replace:url=http://someplace/possiblysomedir/somefile.html|container=iframe|width=400|height=400}


Example Value




Example Value





eg'replace' with unique (replacement) number suffixes, (subject of future refactor I'm sure) causes the whole of the 'badtag' to be removed, including its closing badtag, necessary if a given tag causes jtidy parse problems




optional parameter, enables different cleanup engines to be selected, default is Atlassian Fast Page Parser, other options include: 'jtidy' and 'neko'




Styles (.css) referenced via href= attributes are dynamically loaded into page from the source server IS a very real risk of collisions with Confluence CSS names, styling of Confluence may be adversely affectged.




Scripts (.js) referenced via href= attributes are dynamically loaded into page from the source server
IS a very real risk of XSS attacks
IS a very real risk of Javascript collisions, possibly causing Confluence to behave improperly (older version of common libraries being loaded for example




defines whether a container element should wrap included elements. In the case of IFrame, this totally separates content





sets the width of the IFrame if used




sets the height of the IFrame if used


'scrolling: auto; align: right'

any CSS styles to be applied



CNN in a box:

1 {html-include-replace:url=|includeStyles=true}

Version History


  • hope to get Atlassian to merge this into their html-include plugin so this functionality gets the advantage of the target site whitelisting

  • extend to allow users to specify additional tags/functions that need to get processed


  • Enables GWT applications to be embedded in confluence via Iframes


  • Removals execute irrespective of engine selection

  • Scripts and Styles referred to in the head section of the source URL page, can be dynamically loaded into the page to help fix layout/display problems (but introduces a whole heap of other possible problems


  • Uses regexp to replace most tags, added comprehensive unit testing for correct URL replacement

Known Issues

Legacy Issues

1 2 3 4 5 ||Completed||Priority||Locked||CreatedDate||CompletedDate||Assignee||Name|| |F|M|F|1233054166753| |matus.ferko|Replacements not done with regex, only works for 'plain' tags, needs regexp'ing| |F|M|F|1233078083387| |javahollic|Wonder about how to filter dynamically loaded content that may already have been loaded (eg confluence .js libraries), also figure out how to make CSS sheets loaded _not_ take precendence over Confluence loaded styles| |F|M|F|1233156937148| |javahollic|It will not work with _every_ web page in the world, wellformed markup will help.| |F|M|F|1233156953376| |javahollic|Inline scripts and styles are not yet supported|

IFrame blocked

Some websites have frameworks in place to prevent their web pages from being loaded in an IFrame for a number of reasons such as preventing clickjacking attacks. As such it is not possible to load these pages in an IFrame and must instead be loaded in a ‘div’.


This software is licensed under the provisions of the Standard EULA from the Atlassian Marketplace Terms of Use as a Marketplace Product.

The "Standard EULA" is reproduced here for convenience. In this case, the "Publisher" is The Plugin People Ltd:

(i) The Publisher is the licensor of the Marketplace Product and Atlassian is not a party to the Publisher EULA or this Standard EULA, as applicable.

(ii) If the Marketplace Product does not include a Publisher EULA that specifies Marketplace Product license rights, Publisher grants you a limited, worldwide, non-exclusive, non-transferable and non-sublicensable license to download and use the Marketplace Product only on hardware systems owned, leased or controlled by you.

(iii) Licenses granted by Publisher are granted subject to the condition that you must ensure the maximum number of Authorized Users that are able to access and use the Marketplace Product concurrently is equal to the number of User Licenses for which the necessary fees have been paid to Atlassian and/or its authorized partners (each, an "Atlassian Expert"). You may purchase additional User Licenses at any time on payment of the appropriate fees to Atlassian or an Atlassian Expert. "User License" means a license granted under this EULA to you to permit an Authorized User to use the Marketplace Product. The number of User Licenses granted to you is dependent on the fees paid by you. "Authorized User" means a person who accesses and uses a Marketplace Product under the EULA and for which the necessary fees have been paid to Atlassian and/or an Atlassian Expert.

(iv) Any information that Publisher collects from you or your device will be subject to any Publisher EULA, privacy notice, or similar terms that the Publisher provides to you, and will not be subject to the Atlassian Privacy Policy (unless Atlassian is the Publisher).

(v) You may not modify, reverse engineer, decompile or disassemble the Marketplace Product in whole or in part, or create any derivative works from or sublicense any rights in the Marketplace Product, unless otherwise expressly authorized in writing by Publisher.

(vi) The Marketplace Product is protected by copyright and other intellectual property laws and treaties. Unless otherwise expressly stated in the Publisher EULA, Publisher or its licensors own all title, copyright and other intellectual property rights in the Marketplace Product, and the Marketplace Product is licensed to you directly by the Publisher, not sold.

Additional Terms

This product is covered by the General Software Product EULA.