Allowing custom script has its security implications. But what exactly does it mean? Is it dangerous? My colleauge Daniel and me have done a little experiment. There are two implications stated on MS Docs: Scripts have access to everything the user has access to. Scripts can access content across several Office 365 services and even beyond with Microsoft Graph integration. To summarize, we can look at that picture: So the risk that user 1 (the Blue User) intentionally or unintentionally places a script and lets user 2 (the Red User) run this script by linking to the page that has this script.

Det finns ett exempel här. //defaultAspx är sidan (SPListItem i Sidor) //måste checkas ut först //mgr är WebPartManager //wp är contentEditorWebPart web.AllowUnsafeUpdates = true; XmlDocument xmlDoc = new XmlDocument(); XmlElement xmlElement = xmlDoc.CreateElement("Content"); xmlElement.InnerText = ((Microsoft.SharePoint.WebPartPages.ContentEditorWebPart)wp).Content.InnerText.ToString(); xmlElement.InnerText = xmlElement.InnerText.ToString().Replace("#HEADING#", "Welcome for welcome"); wp.Content = xmlElement; mgr.SaveChanges(wp); defaultAspx.File.CheckIn(""); defaultAspx.File.Publish(""); web.AllowUnsafeUpdates = false; ```Man måste skapa nytt XmlDocument och XmlElement, om man försöker skriva direkt till wp.Content.InnerText kommer det inte uppdateras. I det här fallet, byter vi ut #HEADING# mot något mer passande.