01 November 2010

Why can’t I use SCRIPT or IFRAME tags in my SharePoint Rich Text fields?

I answered this question and thought it might be good to post for others as well…  The question was: “So before I write a custom field to replace the use of the OOTB multiline text field could anyone tell me a couple things? First, could someone better explain the reason that script and iframe tags were allowed in content editor web parts but not in the multiline text RTE? Second, is there a way to enable the use of unsafe tags within the multiline text field without having to create a custom field?”   The answers to your questions are: 1.  SECURITY. 2.  NO. (See 1 above) So now, let me explain… The use of <script> and <iframe> tags in the Rich Text fields are not allowed, or rather, are not interpreted as their types, but just as text, because it’s a rich TEXT field.  As a rich text field, the content of the field is something that a USER can set.  As such, any web site that would allow a USER to set the content of a field to something that is executable such as SCRIPTS or IFRAMES, would pose a grave security risk.  It’s like telling a hacker… Here’s the keys to my server.  Do your worst. For that reason, all fields that contain content set by users, are configured to NOT allow users to embed scripts etc. into the pages. In the same way, the use of Content Editor web parts is limited to users with DESIGNER or ADMINISTRATOR rights.  The assumption here is that these level users are trusted users that have been vetted and they won’t intentionally embed harmful content into pages. SharePoint isn’t trying to make life hard… it’s just protecting us from ourselves sometimes. 🙂


No comments:

Post a Comment

Comments are moderated only for the purpose of keeping pesky spammers at bay.

SharePoint Remote Event Receivers are DEAD!!!

 Well, the time has finally come.  It was evident when Microsoft started pushing everyone to WebHooks, but this FAQ and related announcement...