Rate this page:
Status | LEGACY This tutorial applies to Confluence versions that have reached end of life. |
In Confluence 4.0, the new XHTML renderer no longer has a 'render mode' for escaping the bodies passed to the macros with a plain text body, meaning that they will have to be escaped by the macro themselves.
You can use the HtmlEscaper
static method escapeAll
in order to escape the body of plain text, see the javadoc below for usage.
You will note in the above javadoc for escapeAll
that quote is referred to as a special character in HTML. This is not strictly true (see the specification) yet the quote does require special handling in order to prevent XSS attacks. Using something like org.apache.commons.lang.StringEscapeUtils#escapeHtml(String)
instead of escapeAll
will result in vulnerabilities as discussed in Apache Foundation issue LANG-572.
Rate this page: