Details
-
Bug
-
Resolution: Fixed
-
High
-
None
-
None
Description
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
Whilst removing a connect security vulnerability (ACDEV-514, ACDEV-516 ) we have encountered an obstacle in Confluence that prevents us completing this work and therefore closing this serious security hole.
Confluence currently assumes that the image placeholders are served out of confluence. For connect we require them to be able to be served out of the Addon.
The offending line is
CustomImageEditorMacroMarshaller line 104
writer.writeAttribute("src", context + imgUrl);
For connect we need this to not prepend with context for absolute URLs
Attachments
Issue Links
- is related to
-
CONFSERVER-25394 Macros don't support absolute icon urls
- Closed
- relates to
-
CONFCLOUD-31585 Add support for absolute Image placeholder URLs
- Closed
- causes
-
AC-832 Loading...