Confluence HTML Include Replace
Summary
Enables arbitrary HTML pages to be pulled into Confluence and automatically have relative and site-specific links rewritten so that images, scripts and style-sheets load etc.
XSS Attack Acceptance |
|---|
The inclusion of content from other websites on Confluence pages is a security risk. Use if you trust all your users. Use of this app is at your own risk, whilst we can whitelist sites, and does have some support for blocking SOME standard scripts, we do not consider XSS attack proofs as an inherent security issue that must be fixed, as the list of XSS attacks is endless. |
Our response to XSS attack reports
As of 24 SEP 2019, any/all XSS related attacks that are reported against HTMLIR will not be considered as a Security Issue requiring rectification, but will be accepted as feedback, which may or may not be used to improve the product moving forward. Atlassian is in agreement, feel free to query Atlassian Support and refer https://ecosystem.atlassian.net/servicedesk/customer/portal/14/DEVHELP-3306.
Configuration page
From version 1.4.2, we've addressed additional functionality to aid the security for this Macro. This provides the Administrator with control over the URLs which are accessible via White-listing and excluding scripts from the source code. For more information on this, please refer to Configuration page - Security Enhancement.
Drivers for development
The Confluence HTML Macros include {html-include} which is neat way of pulling arbitrary content into Confluence. For me I have a sister Twiki that cant be imported into Confluence due to its dynamic data. The Atlassian plugin doesn't take account of relative URL's,
Example | Renders in Confluence as | Result |
|---|---|---|
href="someplace/somefile.gif | href="http://confluencePAGE_URL/someplace/somefile.gif" | |
location="../../someplace/somefile.gif | href="http://confluencePAGE_URL/../../someplace/somefile.gif | |
href="/someplace/somefile.gif | href="http://confluenceSERVER_URL/someplace/somefile.gif" | |
An ajaxy/GWT application |
|
Attempting to get code adopted
This plugin was a response to CONF-6567 and the low vote count it had, I;m currently attempting to get it adopted by Atlassian as it would be even better if this could take advantage of the 2.9.2+ site White-listing features in the Atlassian macro, which is currently not possible probably.
Description
This plugin loads page content from a given URL and performs a regular expression search/replace for many common tag attributes that have URL parameters, one for relative URL's and one for absolute URL's. It conveniently enables No / DIV / IFRAME 'container' elements around content. In the case of IFrame, this plugin doesn't do much except render the IFrame tag with the related source, as 'it just works'.
Installation
Grab the latest stable jar (snapshots are not stable), upload to Confluence manually through the admin Plugin Page.
Usage(s)
{html-include-replace:url=http://someplace/possiblysomedir/somefile.html}
{html-include-replace:url=http://someplace/possiblysomedir/somefile.html|container=iframe|width=400|height=400}
Options | Example Value | Description |
|
|---|---|---|---|
replace1 | replace1=badtag | eg'replace' with unique (replacement) number suffixes, (subject of future refactor I'm sure) causes the whole of the 'badtag' to be removed, including its closing badtag, necessary if a given tag causes jtidy parse problems |
|
engine | jtidy | optional parameter, enables different cleanup engines to be selected, default is Atlassian Fast Page Parser, other options include: 'jtidy' and 'neko' |
|
includeStyles | true | Styles (.css) referenced via href= attributes are dynamically loaded into page from the source server IS a very real risk of collisions with Confluence CSS names, styling of Confluence may be adversely affectged. |
|
includeScripts | true | Scripts (.js) referenced via href= attributes are dynamically loaded into page from the source server |
|
container | none|div|iframe | defines whether a container element should wrap included elements. In the case of IFrame, this totally separates content |
|
width | 400 | 50% | sets the width of the IFrame if used |
height | 500 | 50% | sets the height of the IFrame if used |
style | 'scrolling: auto; align: right' | any CSS styles to be applied |
|
Example
CNN in a box:
{html-include-replace:url=http://www.cnn.com|includeStyles=true}
Gallery
Some example websites |
|---|
| There are no images attached to this page. |
Version History
? |
|
|---|---|
0.5 |
|
0.4 |
|
0.3 |
|
Known Issues
Legacy Issues
IFrame blocked
Some websites have frameworks in place to prevent their web pages from being loaded in an IFrame for a number of reasons such as preventing clickjacking attacks. As such it is not possible to load these pages in an IFrame and must instead be loaded in a ‘div’.
EULA
This software is licensed under the provisions of the Standard EULA from the Atlassian Marketplace Terms of Use as a Marketplace Product.
The "Standard EULA" is reproduced here for convenience. In this case, the "Publisher" is The Plugin People Ltd:
(i) The Publisher is the licensor of the Marketplace Product and Atlassian is not a party to the Publisher EULA or this Standard EULA, as applicable.
(ii) If the Marketplace Product does not include a Publisher EULA that specifies Marketplace Product license rights, Publisher grants you a limited, worldwide, non-exclusive, non-transferable and non-sublicensable license to download and use the Marketplace Product only on hardware systems owned, leased or controlled by you.
(iii) Licenses granted by Publisher are granted subject to the condition that you must ensure the maximum number of Authorized Users that are able to access and use the Marketplace Product concurrently is equal to the number of User Licenses for which the necessary fees have been paid to Atlassian and/or its authorized partners (each, an "Atlassian Expert"). You may purchase additional User Licenses at any time on payment of the appropriate fees to Atlassian or an Atlassian Expert. "User License" means a license granted under this EULA to you to permit an Authorized User to use the Marketplace Product. The number of User Licenses granted to you is dependent on the fees paid by you. "Authorized User" means a person who accesses and uses a Marketplace Product under the EULA and for which the necessary fees have been paid to Atlassian and/or an Atlassian Expert.
(iv) Any information that Publisher collects from you or your device will be subject to any Publisher EULA, privacy notice, or similar terms that the Publisher provides to you, and will not be subject to the Atlassian Privacy Policy (unless Atlassian is the Publisher).
(v) You may not modify, reverse engineer, decompile or disassemble the Marketplace Product in whole or in part, or create any derivative works from or sublicense any rights in the Marketplace Product, unless otherwise expressly authorized in writing by Publisher.
(vi) The Marketplace Product is protected by copyright and other intellectual property laws and treaties. Unless otherwise expressly stated in the Publisher EULA, Publisher or its licensors own all title, copyright and other intellectual property rights in the Marketplace Product, and the Marketplace Product is licensed to you directly by the Publisher, not sold.
Additional Terms
This product is covered by the General Software Product EULA.