-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Medium
-
None
-
Affects Version/s: 9.2.0, 10.2.0
-
Component/s: Apps - Team Calendar
-
1
-
Severity 2 - Major
Issue Summary
The following warning messages keep coming in the application log.
2026-03-11 04:25:27,809 WARN [ThreadPoolAsyncTaskExecutor::Thread 3] [owasp.validator.html.Policy] <init> The directive \"noopenerAndNoreferrerAnchors\" is not enabled by default. It is recommended to enable it to prevent reverse tabnabbing attacks.
The bundled team calendar plugin seems to be the cause, as it loads antisamy-slashdot-1.4.4.xml, which does not explicitly set the noopenerAndNoreferrerAnchors directive to true.
Steps to Reproduce
- Start a 9.2 LTS instance
- For detailed loggings, set com.atlassian.confluence.extra.calendar3 log level to DEBUG
- Check the application log
Expected Results
The log should not flood with the warning related to noopenerAndNoreferrerAnchors
Actual Results
The log is heavily flooded with the following warnings:
2026-03-11 04:25:27,809 WARN [ThreadPoolAsyncTaskExecutor::Thread 3] [owasp.validator.html.Policy] <init> The directive \"noopenerAndNoreferrerAnchors\" is not enabled by default. It is recommended to enable it to prevent reverse tabnabbing attacks.
Workaround
In your current <Confluence Installation>/confluence/WEB-INF/classes/log4j.properties, you can add the following lines to suppress these warnings:
#########################
# Suppress AntiSamy noopener warning spam
#########################
log4j.logger.org.owasp.validator.html.Policy=ERROR, confluencelog
log4j.additivity.org.owasp.validator.html.Policy=false