Only allow basic formatting macros in comments

2007-09-05T20:03:57
ID ATLASSIAN:CONFSERVER-9387
Type atlassian
Reporter igorminar
Modified 2017-04-02T07:35:08

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9387]. {panel}

Currently it is possible for users with create comments permission to embed macros in these comments.

This is a security risk and unnecessary/unwanted feature.

Should a macro contain security vulnerability, we can't rely on the fact that only trusted users whom we given permission to create/edit wiki pages could misuse them, because even users with create comment permission whom we don't trust can use macros in comments.

There is a short list of basic macros that should be allowed in comments to let users better format their comments. This list includes: quote, code, and basic formating macros (bold, italics, ordered and unordered list)

If you wanted to make the behavior very flexible and make confluence backwards compatible for users who already rely on macros in comments, you could externalize the exception list as a JVM property or a property stored in the DB.