RSS Macro should not trust all content from the origin server by default.

The RSS feed macro currently appears to be enabled by default in Confluence. This is contrary to the information contained in the following Confluence documentation:

https://confluence.atlassian.com/display/DOC/RSS+Feed+Macro

While a whitelist is enforced by default, as confluence implicitly trusts itself it is possible to exploit this issue through an attached rss file.

Steps to reproduce:
1. create a new page
2. attach the CONF-31007.xml file to the new page
3. on the new page add a rss macro with a RSS Feed URL pointing to the ^CONF-31007.xml attachment and then add &os_username=$ATTACK_USERNAME&os_password=$ATTACK_PASSWORD to the end of the url to make confluence authorize against itself so it is able to access the attachment.
The resulting url should look something like the following:
e.g. http://$confluence/download/attachments/557071/simple.xml?api=v2&os_username=myuser&os_password=myuser
4. Save the page.
5. Observe two alert prompts with the numbers 1 and 2 in them.