Why can’t I use SCRIPT or IFRAME tags in my SharePoint Rich Text fields?

Written by Cornelius J. van Dyk on . Posted in Blog

I answered this question and thought it might be good to post for others as well…  The question was: “So before I write a custom field to replace the use of the OOTB multiline text field could anyone tell me a couple things? First, could someone better explain the reason that script and iframe tags were allowed in content editor web parts but not in the multiline text RTE? Second, is there a way to enable the use of unsafe tags within the multiline text field without having to create a custom field?”   The answers to your questions are: 1.  SECURITY. 2.  NO. (See 1 above) So now, let me explain… The use of <script> and <iframe> tags in the Rich Text fields are not allowed, or rather, are not interpreted as their types, but just as text, because it’s a rich TEXT field.  As a rich text field, the content of the field is something that a USER can set.  As such, any web site that would allow a USER to set the content of a field to something that is executable such as SCRIPTS or IFRAMES, would pose a grave security risk.  It’s like telling a hacker… Here’s the keys to my server.  Do your worst. For that reason, all fields that contain content set by users, are configured to NOT allow users to embed scripts etc. into the pages. In the same way, the use of Content Editor web parts is limited to users with DESIGNER or ADMINISTRATOR rights.  The assumption here is that these level users are trusted users that have been vetted and they won’t intentionally embed harmful content into pages. SharePoint isn’t trying to make life hard… it’s just protecting us from ourselves sometimes. 🙂



Tags: ,

Trackback from your site.

Cornelius J. van Dyk

Born and raised in South Africa during the 70's I got my start in computers when a game on my Sinclair ZX Spectrum crashed, revealing it's BASIC source code. The ZX had a whopping 48K of memory which was considered to be a lot in the Commodore Vic20 era, but more importantly, it had BASIC built into the soft touch keyboard. Teaching myself to program, I coded my first commercial program at age 15.

After graduating high school at 17, I joined the South African Air Force, graduating the Academy and becoming a Pilot with the rank of First Lieutenant by age 20. After serving my country for six years, I made my way back into computer software.

Continuing my education, I graduated Suma Cum Laude from the Computer Training Institute before joining First National Bank where my work won the Smithsonian Award for Technological Innovation in the field of Banking and Insurance. Soon I met Will Coleman from Amdahl SA, who introduced me to a little known programming language named Huron/ObjectStar. As fate would have it, this unknown language and Y2K brought me to the USA in 1998.

I got involved with SharePoint after playing around with the Beta for SharePoint Portal Server 2003. Leaving my career at Rexnord to become a consultant in 2004, I was first awarded the Microsoft Most Valuable Professional Award for SharePoint in 2005, becoming only the 9th MVP for WSS at the time. I fulfilled a life long dream by pledging allegiance to the Flag as a US citizen in 2006. I met the love of my life and became a private consultant in 2008. I was honored to receive my ninth MVP award for SharePoint Server in 2013.

Leave a comment

You must be logged in to post a comment.