Details
-
Suggestion
-
Resolution: Won't Fix
-
Confluence OnDemand
Description
I would like to be able to use the Custom HTML Plugin & the HTML Macro with my Confluence OnDemand instance. I know from this issue, there are security concerns with the plugin, so I suppose the focus of this feature request is to for the development team to mitigate the XSS attack vector.
I envision a solution that would involve server-side code to filter out the User-HTML-Block whenever a page is viewed by users with elevated privileged. I don't know a whole lot about XSS attacks, but is it not the case that the malicious JavaScript must be executed client-side for the attack to work? If the User-HTML is filtered out, then the JavaScript can't execute.
Ultimately, I want to use Custom HTML to include JavaScript snippets from various web services like DISQUS & Google Analytics, and the HTML macro for including raw HTML.
I suppose an alternative solution would be a series of plugins & macros similar to the Widget macro that would render predefined JavaScript snippets. That does solve my raw HTML issue.
Attachments
Issue Links
- mentioned in
-
Page Loading...