RSS Feed Macro
Security considerations
The RSS Feed macro may be disabled by your Confluence administrator. Also, your Confluence administrator can define a list of trusted URLs. You will see an error message on the Confluence page, if the included URL is not in the allowlist.
CAUTION: Including unknown HTML inside a webpage is dangerous.
HTML inside an RSS feed can contain active scripting components. This means that it would be possible for a malicious attacker to present a user of your site with script that their web browser would believe came from you. Such code could be used, for example, to steal a user's authentication cookie and give the attacker their Confluence login password.
Add this macro to your page
To add the RSS Feed macro to a page:
- From the editor toolbar, select Insert , then Other Macros.
- Choose RSS Feed from the External content category.
- Enter the RSS feed URL.
- Choose Insert.
You can then publish your page to see the macro in action.
Change the macro parameters
Macro parameters are used to change the behavior of a macro.
To change the macro parameters:
- In the editor, click the macro placeholder and select Edit.
- Update the parameters as required then select Insert.
Here's a list of the parameters available in this macro.
Parameter | Default | Description |
---|---|---|
RSS Feed URL | none | The URL of the RSS feed link you want to show. |
Maximum Number of Entries | 15 | Limit the number of entries displayed. |
Show Item Titles Only | false | Show only the titles of the news items, not the content. |
Show Name/Title of RSS Feed | true | Hide the feeds title bar. |
Where the parameter name used in Confluence storage format or wikimarkup is different to the label used in the macro browser, it will be listed below in brackets (example
).
How up to date is the feed?
By default, the RSS Feed macro caches the feed results for 60 minutes before fetching the data again.
If you wish to change the default caching, use the Cache macro to define how often the RSS Feed macro fetches the feed updates. You will need to install the Cache plugin onto your Confluence site.
What happens to a page containing a disallowed URL?
Your Confluence Administrator can set up an allowlist of allowed URLs. If this is the case, you may see an error on the pages which contain the RSS Feed macro.
A user can add the RSS Feed macro or the HTML-include macro to a Confluence page. The macro code includes a URL from which the content is drawn. When the page is displayed, Confluence will check the URL against the allowlist. If the URL is not allowed, Confluence will display an error message on the page.
The error message says that Confluence "could not access the content at the URL because it is not from an allowed source" and displays the offending URL. If the person viewing the page is a Confluence Administrator, they will also see a link to the Administration page where they can configure the URL allowlist.
Here is an example of the error message, including the link shown only to Confluence Administrators:
Here is an example of the error message, but without the link.
Authentication
Private feeds from external sites
RSS feeds which require authentication cannot be accessed using the RSS Feed macro.
Accessing internal HTTPS feeds
This applies only to Confluence instances which have enabled HTTPS for all content. If your site is fully HTTPS, the RSS Feed macro cannot access internal feeds. To enable the RSS Feed macro to access internal feeds without affecting your HTTPS setup, enable local-only HTTP access:
- Shut down Confluence.
- Consult the SSL guide to enable HTTP access to Confluence. You'll want to ensure that you have an HTTP connector and an SSL connector, both commented in. This means that Confluence will be accessible via both HTTP and HTTPS. However, you should not have a redirect port, nor rules in web.xml to redirect all traffic.
- Instead of using web.xml to redirect traffic, insert a firewall rule to redirect all HTTP requests not from the Confluence server to the equivalent HTTPS URL. This ensures that users will only be able to access Confluence via HTTPS, as intended. If you have still left HTTP access for attachments enabled (to avoid the IE download bug) you must selectively enable those URLS as well.
- Modify your Confluence RSS Feed macro feed link to use the HTTP URL, and restart Confluence.
Enable or disable the RSS Feed macro
To enable or disable the RSS Feed macro:
- Go to Administration menu then Manage apps.
- Select System from the drop down and search for the Confluence HTML Macros system app.
- Expand the listing and enable or disable the rss (rss-xhtml) module.
Other ways to add this macro
Add this macro as you type
Add this macro using wiki markup
This is useful when you want to add a macro outside the editor, for example as custom content in the sidebar, header or footer of a space.
Macro name: rss
Macro body: None.
{rss:max=10|showTitlesOnly=true|url=http://myblog.com/feed|titleBar=false}