Multiline Text allowed characters or tags
So before I write a custom field to replace the use of the OOTB multiline text field could anyone tell me a couple things? First, could someone better explain the reason that script and iframe tags were allowed in content editor web parts but not in the multiline text RTE? Second, is there a way to enable the use of unsafe tags within the multiline text field without having to create a custom field?
October 27th, 2010 12:46pm
The answers to your questions are: 1. SECURITY. 2. NO. (See 1 above) So now, let me explain... The use of <script> and <iframe> tags in the Rich Text fields are not allowed, or rather, are not interpreted as their types, but just as text, because it's a rich TEXT field. As a rich text field, the content of the field is something that a USER can set. As such, any web site that would allow a USER to set the content of a field to something that is executable such as SCRIPTS or IFRAMES, would pose a grave security risk. It's like telling a hacker... Here's the keys to my server. Do your worst. For that reason, all fields that contain content set by users, are configured to NOT allow users to embed scripts etc. into the pages. In the same way, the use of Content Editor web parts is limited to users with DESIGNER or ADMINISTRATOR rights. The assumption here is that these level users are trusted users that have been vetted and they won't intentionally embed harmful content into pages. http://www.cjvandyk.com/blog/Lists/Posts/Post.aspx?ID=297 I trust that answers your question... Thanks C http://www.cjvandyk.com/blog
November 1st, 2010 8:36am