WiscWeb - WiscWeb embed code policy

The following document outlines WiscWeb's current protocol regarding embedded code use.

Important note about terminology

This document uses some terminology that is may not be understood by all. If there are any terms you do not recognize, please refer to our Terminology doc for more information.

As of 2019, WiscWeb sites will not inherit the ability to embed code or inline HTML for display in a Text Block. This decision was made to align our service more closely with WordPress standards for security. This helps prevent the entire multi-site network from XSS attacks that could break pages or sites.

Background

In WordPress multi-site networks, like the one we use for WiscWeb, only the SuperAdmin role is able to include unfiltered HTML. This was a change that WordPress rolled out in version 2.0 to prevent users from posting malicious or poorly formatted code. WiscWeb did not initially inherit this change because our pages are built using ACF page builder technology. ACF did not align with this standard until version 5.7.9.

ACF was updated to version 5.7.9 in the UW Theme in January 2019. At this time, the unfiltered HTML rule that was already in place for WordPress was unknowingly introduced to all WiscWeb sites. It prevented the use of embed code in the WYSIWYG for all roles other than SuperAdmins. As only WiscWeb staff are designated as SuperAdmins, this meant that all other users lost this capability at this time.

To accommodate sites that had previously always had this option available, WiscWeb implemented a short term fix via a custom plugin. This plugin allowed for the use of embed code in the WYSIWYG for site IDs that were created before the change. Sites created after this update do not inherit the ability to embed content in the WYSIWYG. The plugin was removed on 1/12/23, in preparation for major security changes to the service. No WiscWeb sites have the ability to use embed tags any longer.

Current behavior

If users try to include embed code in the Text Block of their WiscWeb site, it will be stripped upon Publish or Update. Users will not be able to use the following tags in the text area of their pages:

  • <iframe>
  • <embed>
  • <span> (span tags that use the style attribute will still work)
  • <input>
  • <script>
  • <form>
  • <style> (style attributes will still work – like with the <span> tag, but <style> tags will not work on their own)

Options for embedding

If WiscWeb users need to embed content, there are a couple options currently. These options are outlined in WiscWeb - Embed Options.

Please note that our ability to add new technology to the Embed Options is limited by a couple factors:

  1. We use a process called oEmbeds for accommodating embedded content safely in WiscWeb. It is not always possible to create an oEmbed from every tool. We will let you know if it is not possible. 
  2. We aim to align any oEmbed options with our Software and Technology Integration Policy. This means we prefer to work with tools that are:
    1. Campus supported
    2. Easily supported within the WiscWeb environment
    3. Meet broad needs for campus (i.e., Have high usage)
    4. Have a low impact on WiscWeb infrastructure
    5. Are accessible
  3. If a tool you wish to use is not currently not listed in our Embed Options, please submit a feature request so that we can gauge appropriateness for the service. 

Troubleshooting tips

  • If there isn't another option available for including your outside source content in your site, we recommend linking out to the content. The users will still be able to get to it and it's an easy workaround. 


Keywords:
embed, iframe, script, style, embed, embedded, social media, HTML, unfiltered, input, policy 
Doc ID:
96764
Owned by:
Jenna K. in WiscWeb
Created:
2019-12-20
Updated:
2024-10-01
Sites:
DoIT Help Desk, WiscWeb