Hello Peter and welcome to the Community!
The Confluence whitelist is designed to allow content from sites when those sites have been added to the whitelist. This whitelist does not protect against malicious links or content. This whitelist does allow you to block content from sites you have not explicitly allowed through the list.
Links will still be made available within pages, blogs and comments and those links will still be clickable. The whitelist does block links, it blocks content from loading within a page if the domain or URL is not listed. An example of blocked content would be to have an RSS feed which was attempting to load content on a page from a domain note listed within the whitelist. The content for the RSS feed would not be allowed due to the domain not being present within the whitelist.
Here are examples from the RSS feed macro:
CAUTION: Including unknown HTML inside a webpage is dangerous.
HTML inside an RSS feed can contain active scripting components. This means that it would be possible for a malicious attacker to present a user of your site with script that their web browser would believe came from you. Such code could be used, for example, to steal a user's authentication cookie and give the attacker their Confluence login password.
The RSS Feed macro may be disabled by your Confluence administrator. Also, your Confluence administrator can define a whitelist of trusted URLs. You will see an error message on the Confluence page, if the included URL is not in the whitelist.
Source: RSS Feed Macro
Just to reiterate, the whitelist macro does not replace a good antivirus/malware product and does not provide protection against malicious links/URLs in pages and comments. The whitelist will only block content from requesting information from a URL/domain that is not present within the whitelist.
Regards,
Stephen Sifers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.