Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-22710

Implement security sanitization of RSS feeds and other included content

XMLWordPrintable

    • 1
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level – I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, and for that Atlassian should be commended for the Whitelist function. But the risk remains that malicious content could be brought in through a whitelisted feed.

      There are plenty of projects that are dedicated to aggregation, modification, and security sanitization of RSS content. http://simplepie.org/ is an example of the various projects that do this. The existing tools sanitize the RSS feeds by stripping out entire tags which are insecure as well as individual attributes of otherwise secure tags which may be insecure. Depending on how the projects are licensed and Atlassian's policies for inclusion of third-party code, this may be a fairly simple feature to implement.

            [CONFSERVER-22710] Implement security sanitization of RSS feeds and other included content

            Matt Ryall added a comment -

            Hi Justin,

            This is a great idea and I can see a lot of value in improving the security of external content included in Confluence for the RSS macro and the other HTML inclusion macros.

            I'd suggest the best way to get this implemented would be as a "secure" version of RSS macro or other macros in an open source plugin. This would give our customers the option of installing and using this macro instead of the one shipped in the HTML macros plugin. If this was available to our customers on the Atlassian Plugin Exchange and saw sufficient uptake, we could then consider inclusion of it in the product.

            Another possibility is to develop a patch for the HTML plugin that implements the desired functionality, release it under the same open source license as the HTML macros, then raise an issue in the plugin issue tracker for integration.

            Unfortunately, at the moment, given our roadmap and ideas for the product and resourcing around security work, we're not going to be able to work on this in the short or medium term. As such, I'll close this issue as 'Won't Fix' to make this clear to others who come across this issue.

            Regards,
            Matt

            Matt Ryall added a comment - Hi Justin, This is a great idea and I can see a lot of value in improving the security of external content included in Confluence for the RSS macro and the other HTML inclusion macros. I'd suggest the best way to get this implemented would be as a "secure" version of RSS macro or other macros in an open source plugin. This would give our customers the option of installing and using this macro instead of the one shipped in the HTML macros plugin. If this was available to our customers on the Atlassian Plugin Exchange and saw sufficient uptake, we could then consider inclusion of it in the product. Another possibility is to develop a patch for the HTML plugin that implements the desired functionality, release it under the same open source license as the HTML macros, then raise an issue in the plugin issue tracker for integration. Unfortunately, at the moment, given our roadmap and ideas for the product and resourcing around security work, we're not going to be able to work on this in the short or medium term. As such, I'll close this issue as 'Won't Fix' to make this clear to others who come across this issue. Regards, Matt

              Unassigned Unassigned
              c15e2bcd81f1 Justin Clarke
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: