Security considerations of allowing custom script

Allowing users to customize sites and pages in SharePoint by inserting script can give them the flexibility to address different needs in your organization. However, you should be aware of the security implications of custom script.

When you allow users to run custom script, you can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. Instead of allowing custom script, we recommend using the SharePoint Framework. For more info, see An alternative to custom script.

What custom script can do

Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:

  • Scripts have access to everything the user has access to.

  • Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.

You can't audit the insertion of script

As a Global Administrator, security admin, or SharePoint Administrator, you can allow or block custom script capabilities for the whole organization or for specific site collections. (For info on how to do this, see Allow or prevent custom script.) However, once you allow scripting, you can't identify:

  • What code has been inserted

  • Where the code has been inserted

  • Who inserted the code

Any user who has "Add and Customize Pages" permission (part of the Design and Full Control permission levels) to any page or document library can insert code that can potentially have a powerful effect on all users and resources in the organization.

The script has access to more than just the page or site - it can access content across all site collections and other Microsoft 365 services in the organization. There are no boundaries for executing script. For info about site activity you can audit, see Configure audit settings for a site collection.

You can't block or remove inserted script

If you've allowed custom script, you can change the setting to later prevent users from adding custom script, but you can't block the execution of script that has already been inserted. If dangerous or malicious script is inserted, the only way you can stop it is to delete the page that hosts it. This might result in data loss.

An alternative to custom script

The SharePoint Framework is a page and web part model that provides a governed and fully supported way to build solutions using scripting technologies with support for open-source tooling. Key features of the SharePoint Framework:

  • The framework runs in the context of the current user and connection in the browser.

  • The controls are rendered in the normal page Document Object Model (DOM).

  • The controls are responsive and accessible.

  • Developers can access the lifecycle. Also to render, they can access load, serialize and deserialize, configuration changes, and more.

  • You can use any browser framework you like: React, Handlebars, Knockout, Angular, and more.

  • The toolchain is based on common open source client development tools like npm, TypeScript, Yeoman, webpack, and gulp.

  • Admins have governance tools to immediately disable solutions regardless of the number of instances that have been used and the number of pages or sites across which they've been used.

  • Solutions can be deployed in web parts and pages that use the classic experience or the new experience.

  • Only Global Administrators, SharePoint Administrators, and people who have been given permission to manage the Apps site can add solutions. For info about giving users permission to manage the Apps site, see Request app installation permissions.