Markso is built on Atlassian Forge — a sandboxed, serverless runtime hosted and maintained by Atlassian. Forge functions run in isolated execution environments with no persistent server infrastructure that could be compromised. There is no server for attackers to target, no persistent process to patch, and no infrastructure for Agilva to manage.
Markso enforces strict CSP compliance throughout:
The Source Editor validates all XML against a strict parser before allowing a save. Invalid XHTML cannot be written to a Confluence page under any circumstances. The Save button is programmatically disabled until validation passes. This prevents both accidental corruption and any attempt to inject malformed markup.
All user-generated Markdown is sanitised with DOMPurify before rendering. The following are explicitly allowed:
<details> and <summary> for collapsible sectionsalign attribute for text alignmentclass attribute for task list stylingThe following are explicitly blocked regardless of input:
<script> tags of any kindon* event attributes (onclick, onload, etc.)src pointing to external URLs in iframes)All dependencies are pinned to specific versions in package.json. No runtime dependency fetching occurs. npm audit is run before every deployment. Primary runtime dependencies are CodeMirror 6, marked.js, DOMPurify, and Mermaid — all well-maintained, widely audited open source libraries.
Markso inherits Atlassian Forge's platform-level security, which includes:
If you discover a security vulnerability in Markso Editor, please report it responsibly by contacting Agilva Solutions via the Get in Touch form. Please include a description of the issue and steps to reproduce it. We will acknowledge receipt within one business day and provide a resolution timeline.
For security-related questions or vulnerability reports, contact Agilva Solutions via the Get in Touch form.