How Administrators can protect from XSS vulnerabilities in SQL Query macro

Owned by Nisha Shantilal
Last updated: Dec 23, 2022
3 min read

Administrators can configure security restrictions to protect from XSS vulnerabilities related to SQL Query macro. The restrictions can be specified via Global configuration or by more fine-grained control using Macro security in SQL Configuration.

Navigate to the SQL for Confluence Configuration screen and configure the restrictions.

SQL Configuration

Option 1: The Anti-XSS mode in Global configuration reduces exposure to XSS exploits related to SQL Query macro. Toggle the Global configuration > Disable anti-XSS mode to OFF to protect from XSS vulnerabilities. For more information, refer to App configuration.

Global configuration

Option 2: Macro security allows admins to restrict the usage of SQL Query macro at the parameter level for trusted users and groups in trusted spaces. The SQL statement in the SQL Query macro may contain malicious code. To defend against XSS attacks, admins can control access to the SQL Query macro editor parameter, Stop encoding of HTML characters. The parameter usage restriction is specified by configuring Macro security. 

To configure Macro security restriction for SQL Query macro, refer to App configuration.

Macro security

To protect from XSS attacks, the Administrator can configure the security restrictions, and the various ways are as below -

Scenario 1. Global configuration > Disable anti-XSS mode is toggled OFF, and Macro security restriction is not configured for the parameter, Stop encoding of HTML characters.

Scenario 2. Global configuration > Disable anti-XSS mode is toggled OFF, and Macro security restriction is configured for the parameter, Stop encoding of HTML characters.

Scenario 3. Global Configuration > Disable anti-XSS mode is toggled ON, and Macro security restriction is configured for the parameter, Stop encoding of HTML characters.

In all the above scenarios, access to the parameter Stop encoding of HTML characters is restricted.

  • In the SQL Query macro editor, the parameter Stop encoding of HTML characters is disabled. The security configuration defends the XSS attack if the SQL statement input box contains malicious code.

Scenario 4. Global Configuration > Disable anti-XSS mode is toggled ON, and Macro security restriction is not configured for the parameter Stop encoding of HTML characters.

In the SQL Query macro editor, the parameter Stop encoding of HTML characters is enabled, and the user has the ability to toggle the parameter to ON or OFF.

  • Suppose the user toggles the parameter Stop encoding of HTML characters to OFFIn that case, it defends the possibility of an XSS attack.

  • Suppose the user toggles the parameter Stop encoding of HTML characters to ON. In that case, an XSS attack is possible when the SQL statement input box contains malicious code.

The user needs to be careful and make a conscious decision when the parameter Stop encoding of HTML characters is toggled ON.

Log a request with our support team.

Confluence®, Jira®, Atlassian Bamboo®, Bitbucket®, Fisheye®, and Atlassian Crucible® are registered trademarks of Atlassian®
Copyright © 2005 - 2024 Appfire | All rights reserved. Appfire™, the 'Apps for makers™' slogan and Bob Swift Atlassian Apps™ are all trademarks of Appfire Technologies, LLC.