Does anyone have Smartsheet objects embedded in Confluence?


I read that it's possible to do this but there was a security issue with Cross scripting hacks. Is anyone doing this? Is this still a concern? We use confluence and I'd like to make a PMO portal for all the PMs across our organization to use but I wanted to embed the dashboards, forms, sheets and reports I have in Smartsheet into confluence.

Thank you for your input.



  • Genevieve P.
    Genevieve P. Employee Admin

    Hi @Michelle Barnett

    I can't speak to Confluence security, but the Atlassian Community has detailed steps on how to embed Smartsheet content in this article: How to integrate Smartsheet into Confluence Cloud

    I would recommend posting in their community if you have more questions in regards to Confluence.



  • Michelle Barnett
    Michelle Barnett ✭✭✭✭

    Hi Genevieve,

    I checked with security regarding the HTML code that would embed an Iframe and the hacking threat but security said it was minimal so I think I'm ok.

    Thanks for getting back to me.


  • Capitel
    Capitel ✭✭


    Thanks @Genevieve P. for mentioning our article! It describes pretty well the process for embedding Smartsheet content with resolution GmbH's app Smartsheet for Confluence, which we launched earlier this year and is growing quite fast among enterprise customers.

    In case any other admin is concerned with the threats of the Confluence HTML macro, here's what our dev lead told me about what we do to sanitize it:

    "It is a concern and I think we're fine. We have several layers of checks in place that should prevent it.

    1. First, we're including the Smartsheet URL as an iframe, so anything running inside the iframe is sandboxed from our app and Confluence. Our app additionally runs in an iframe inside Confluence, so even if we mess up, there's another layer of security.
    2. Second, we use React for setting the Smartsheet URL on the iframe. That should catch anything we don't.
    3. Third, we have checks in place that validate the URL given to our apps and that would (hopefully) reject any attempt to run a XSS attack"

    Hope that make the most sensitive admins a bit less scared of empowering their users to connect third party apps to Confluence.


    Jaime Capitel