Markso Editor
Security Policy

Markso Editor
Security Policy

Effective date: June 2026  ·  Applies to: Markso Editor for Confluence (Confluence Cloud)

Secure by Architecture

Markso is built on Atlassian Forge — a sandboxed, serverless runtime hosted and maintained by Atlassian. Forge functions run in isolated execution environments with no persistent server infrastructure that could be compromised. There is no server for attackers to target, no persistent process to patch, and no infrastructure for Agilva to manage.

Sandboxed execution
Each Forge function runs in an isolated environment. No persistent process, no shared state between users.
Zero external egress
No outbound network calls to any external domain anywhere in the codebase. Verified on every release.
Atlassian-managed auth
No custom authentication implementation. All auth is handled by Atlassian's own Forge authentication layer.

Content Security Policy

Markso enforces strict CSP compliance throughout:

XHTML Validation

The Source Editor validates all XML against a strict parser before allowing a save. Invalid XHTML cannot be written to a Confluence page under any circumstances. The Save button is programmatically disabled until validation passes. This prevents both accidental corruption and any attempt to inject malformed markup.

Input Sanitisation

All user-generated Markdown is sanitised with DOMPurify before rendering. The following are explicitly allowed:

The following are explicitly blocked regardless of input:

Dependency Management

All dependencies are pinned to specific versions in package.json. No runtime dependency fetching occurs. npm audit is run before every deployment. Primary runtime dependencies are CodeMirror 6, marked.js, DOMPurify, and Mermaid — all well-maintained, widely audited open source libraries.

Forge Platform Security

Markso inherits Atlassian Forge's platform-level security, which includes:

Vulnerability Disclosure

If you discover a security vulnerability in Markso Editor, please report it responsibly by contacting Agilva Solutions via the Get in Touch form. Please include a description of the issue and steps to reproduce it. We will acknowledge receipt within one business day and provide a resolution timeline.

Contact

For security-related questions or vulnerability reports, contact Agilva Solutions via the Get in Touch form.