Preventing XSS issues with macros in Confluence 4.0
|Status||LEGACY This tutorial applies to Confluence versions that have reached end of life.|
In Confluence 4.0, the new XHTML renderer no longer has a 'render mode' for escaping the bodies passed to the macros with a plain text body, meaning that they will have to be escaped by the macro themselves.
You can use the
HtmlEscaper static method
escapeAll in order to escape the body of plain text, see the javadoc below for usage.
Replaces the HTML "special characters" <, >, ", ', and & with their equivalent entities in HTML 4 and returns the result. Also replaces the Microsoft "smart quotes" characters (extended ASCII 145-148) with their equivalent HTML entities.
true for preserveExistingEntities will try to not break existing entities already found in the input string, by avoiding escaping ampersands which form part of an existing entity like <. Passing
false will do the normal behaviour of escaping everything.
@param s the String to escape
@param preserveExistingEntities if
true, will avoid escaping the ampersand in an existing entity like <. If false, the method will do a normal escaping by replace all matched characters.
@return the string with special characters replaced by entities.
You will note in the above javadoc for
escapeAll that quote is referred to as a special character in HTML. This is not strictly true (see the specification) yet the quote does require special handling in order to prevent XSS attacks. Using something like
org.apache.commons.lang.StringEscapeUtils#escapeHtml(String) instead of
escapeAll will result in vulnerabilities as discussed in Apache Foundation issue LANG-572.