Configuration page - Security Enhancement
Summary
In order to enhance security while using HTML Include Replace, a configuration page has been implemented which provides the Administrator with control over the accessibility of the Macro.
Confluence 7.14.0 issue:
fails to render values under the Whitelisted URL table. To fix this issue, you will need to upgrade the confluence to the 7.14.1 version.
Configuration Fields
Field | Description |
|---|---|
Exclude scripts | This is the global setting for disabling Scripting to be used by the Macro. By setting this field checked, it will result in exclusion of scripts within the URL provided. |
Custom error message | A custom error message is encountered explicitly when the user is accessing a non-white-listed URL. The purpose of this is to provide information as to whom to contact/reason for the error. Important: Default message will be used when accessing the configure screen first time or when the field value is not provided. Default message: xhtml+html-include-replace; The URL specified is not whitelisted. Please speak to a system administrator. |
Full URL | This is where the URL is specified. |
Plain or Regex | While specifying the URL, you have to select either Plain or Regex type. |
Sort by | Allows you to sort the list by the following criteria:
|
Example 1
I want to access the http://localhost URL and disable scripting to enhance security. If the user tries to access a non-white-listed URL, I want to display my custom error message.
Script Exclusion + Custom Error Message and White-listed URL has been set (Plain type):
  |
Accessing localhost in browser:
Accessing localhost in the Macro:
Console output:
Even with Include Scripts set to true does not override the setting of Exclude Scripts (set to True) in the Configuration.
Console output once the Exclude Scripts is set to False under Preview mode:
Accessing a non-white-listed URL:
WhiteListed URLs and Macro: