Administrator guide

Owned by Smita Nair
Apr 16, 2024
2 min read

This guide contains the relevant information to install, uninstall, disable, and/or configure the app.

Installing the app

Instructions on how to install HTML Macro for Confluence on Confluence cloud are as follows:

  1. Log in as an administrator.

  2. Navigate to Settings > Find new apps.

  3. Search for HTML Macro for Confluence.

  4. Click on Free trial or Buy now.

Alternatively, if you are logged in as an administrator, you can click the Try it free or Buy it now buttons in the Marketplace.

Uninstalling or disabling the app

If you no longer want to use the app and you still have pages using the app's macro, then remove the macros first to prevent errors on pages using the macros.

Keep the app enabled and licensed until you have removed macro usage

If you already have disabled, uninstalled, or un-subscribed to the app, then you need to temporarily install or enable the app. You may need to do a Try it free if your license is invalid.

Uninstall or disable the app

Perform the following to uninstall the app:

  1. Log in as an administrator.

  2. Navigate to Settings > Manage apps.

  3. Select HTML Macro for Confluence to view the respective details in an expanded pane.

  4. Click Uninstall. A confirmation dialog box is displayed.

  5. Click Uninstall app to confirm. A successful uninstall message is displayed once the app is uninstalled.

You can use the Disable option instead of uninstalling the app. This sets the app to be inactive so the respective functionality becomes disabled and unavailable. You can activate the app back using the Enable option (which is visible only after you disable the app).

Configure the app

Administrators can use the Configure button for the HTML Macro in the Manage apps page to allow or prevent users from creating and viewing unsanitized HTML macros:

Image shows the HTML Macro for Confluence configuration page.
HTML Macro for Confluence configuration page

The JavaScript is limited as to what it can do because we “sandbox” the unsanitized macro in an extra iframe. It cannot spoof the target user to obtain their Confluence access token or make changes to any content outside the sandboxed macro. There are still some potential attacks. It is impossible to list all of these, but examples are a user adding a pop-up or phishing for user information. Because of how JavaScript works, there is no way to prevent these attacks by a malicious user already in the system. Therefore, unsanitized mode must only be enabled when users are trusted not to exploit it. If you are concerned about protecting your instance from these attacks, you can limit the users that can access/edit the page to Administrators or other trusted groups.