Embedded Javascript and HTML widgets

Version 7

    What changed


    As of version 4.0.6, the HTML Text Widget will remove script tags from untrusted (i.e. non administrative) users. This feature is a security measure, as allowing untrusted users to embed arbitrary javascript in pages is a security vulnerability (filed in our internal bug tracker as CS-19120). Malicious user can take advantage of the ability to embed their javascript in a publicly accessible page to perform cross-site scripting (XSS) attacks.


    Note that users should still be able to embed javascript in their own personal "Your View" tabs, because that code will be executed by no other user.


    Users will see this measure present when they attempt to save a HTML widget with javascript elements. The widget will still save correctly, but the javascript will be scrubbed from the widget's source.


    Alternative options


    A system or space administrator can still embed the desired javascript into the widgeted page in question. This gives the trusted administrator a chance to vet the javascript code to ensure it is safe to be run by end users.


    If your entire userbase is made up of trusted users and you wish to re-enable the old behavior globally you can set the system property jive.htmlwidget.cleansejavascript=false. Note that this is strongly not recommended for public or externally facing sites due to the obvious security implications.


    Other tags affected


    Additionally covered under this feature is the scrubbing of other potentially harmful tags (the process described above uses the standard HTML filter in our application). Other tags removed from content not posted by system or space administrators include <iframe>, <style>, <link>, <meta>, and <base> in additon to <script> tags. Setting the jive.htmlwidget.cleansejavascript property to false will disable ALL scrubbing, allowing any of the above tags to be embedded by non-administrative users.


    This functionality is similar to the HTML cleaning features that have previously existed for most content in the system (Messages, Documents, etc.), but those content types are unaffected by the above property. Setting a value for jive.htmlwidget.cleansejavascript will only affect HTML widgets and nothing more.