Hey GeneralUtil Javadocstates that GeneralUtil.htmlEncode
is deprecated and to use HtmlUtil.htmlEncode
instead. However, in user macros, there seems to be no $htmlUtil
available. Is it used under a different name? Or are we supposed to use something else?
It is easy to forget that users can easily execute Javascript in somebody else's context if parameters are not escaped..
This worked for me:
## @noparams #set ( $htmlUtil = $content.class.forName("com.atlassian.confluence.util.HtmlUtil").getConstructor().newInstance() ) #set ( $htmlText = $htmlUtil.htmlEncode("<p> Test </p>") ) $htmlText
While I appreciate your creativity (hence the upvote), I cannot mark this answer as accepted. There just has to be an "official" way to prevent XSS attacks via user macros.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, I understand. However, I would have to say that there's nothing very "official" about user macros as they currently exist :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.