Security Considerations

The run macro allows for getting input from users that have view access. Care must be taken to prevent that input from containing unexpected data that is not handled properly by the processing in the body. Here are some hints and tips.

  1. Consider using Macro Security for Confluence to control who can create content using the run macro - at least on sites with higher security needs. This can restrict use to people more experienced with security implications.
  2. Use pre-defined value fields instead of open ended text fields. For example, select lists, radio buttons, and similar where appropriate.
  3. When using text fields as substitution for values in SQL statements, use SQL parameter markers instead of direct SQL syntax. See Wikipedia: SQL injection.