Cookies on this website
We use cookies to ensure that we give you the best experience on our website. If you click 'Continue' we'll assume that you are happy to receive all cookies and you won't see this message again. Click 'Find out more' for information on how to change your cookie settings.
Skip to main content

The use of embedded scripts within the rich text editor.

Currently, you are able to use the smart embed functionality to insert iFrames into the body content of a page. However, you are not able to put scripts into the body content of the page. The reason that the script is stripped out when you try to add the code to the page is because we are trying to ensure that the page is kept clean, and not trying to run too many different or similar bits of JavaScript code, as these take a lot of resources in the browser and could potentially lead to having a very slow page load. Another reason that we strip these scripts out to avoid any cross-site scripting which is a potential security issue. Most of the time when you are embedding content into your website it is from a trusted source, however, there are ways in which people can use this to try and circumvent security parameters. It is because of these reasons that we currently strip out the script tag if it is put into the rich text editor. We will implement a whitelisting feature that will allow us to whitelist the domains that it is safe for you to embed scripts from, and then we will amend the stripping of the scripts dynamically. We will also then be able to have better control over the JavaScript that is used on the Haiku sites. We will be able to analyse and reuse code that is already existing on the pages as we load them, rather than trying to execute the same JavaScript code multiple times for one-page load.


Stories

AS AN ADMIN I want to be able to add <script> into the rich text editor without it being stripped when I save the page SO THAT I can embed more dynamic content from other websites or services.

AS AN ADMIN I want to be able to request that a new site is whitelisted if I find one that is not currently, but it does not pose a security risk SO THAT I can continue to use new services as they become available.

AS A DEVELOPER I want to maintain an easy to update whitelist of domains that are allowed to embed a <script> tag within the rich text editor SO THAT I can maintain a high level of security across the Haiku websites.

AS A DEVELOPER I want to load as little JavaScript on a page as possible, so ideally reusing JavaScript code when possible on a single page load, rather than having it load multiple times SO THAT I am not impacting the performance of the website for a user.