Script in Content Editor Web Parts (CEWPs) in SharePoint 2010

<UPDATE> 2010-10-27: After you read this, be sure to read Christophe’s follow-up to this post: About Scripts, Web Parts and Urban Myths. He gives some other specifics you’ll probably need. </UPDATE>

One of the things I heard at SPTechCon several times was that in SharePoint 2010, it is no longer possible to put script into Content Editor Web Parts (CEWPs). Instead, I was told, you have to use the “new” HTML Form Web Part.

This was a pretty big concern to me, the Middle Tier guy. After all, many people put their scripts into CEWPs for easy manipulation and management. I personally prefer to put the script into the page directly with SharePoint Designer for better management and safe-keeping, but I was forseeing all sort of broken-ness on upgrades. It wasn’t sounding pretty.

Well, today a colleague and I ran a *very* simple test. We simply dropped the following script block into the CEWP in a SharePoint 2010 page:

<script type="text/javascript" language="javascript">
    alert("Hi, Paul!");
</script>

Lo and behold, SharePoint accepted it just fine and up popped the alert. Whew. (And Paul liked that SharePoint 2010 said “Hi” to him.)

As is often the case, the tweet-a-thon afterwards was almost more interesting, and may give you some other things to think about. Here’s the “thread”.

image

SNAGHTMLca8ab5

image

image

image

image

image

image

SNAGHTMLcc145e

image

image

image

and on it goes!

10 Comments

  1. I thought I’d take a moment to share some recent experiences I had with this. While you can put script in CEWP’s in SP2010 there is a big thing that I have noticed. If you’re running publishing features that allow the live editing of the page (ie: rich text, etc.) your script is still executed in that edit mode.

    What I’ve seen, and I still need to do some testing to confirm if it’s specific to publishing features or some other subset of SP2010, is that if you’re using your script to output HTML sometimes when you save your edited page, it saves with that output in place. In other words, saves the generated HTML as part of that page’s “edited” markup.

    Now, I only saw that in one environment and I haven’t had the time to isolate what specifically caused it, but my approach since has been to put my scripts in a library and reference that file as the CEWP source.

    Not to say that you can’t put script in a CEWP, but I figured it was worth contributing that I have seen it behave differently in SP2010 than SP2007.

    Reply
    • That’s not dissimilar to what you’d see in 2007, actually. It all depends on what your script is doing. I think your approach of storing the script off in a file separately is a best practice, anyway, because it allows reuse.

      M.

      Reply
    • @Michael: right, scripts run even in edit mode, but this is no different from what usually happens with SharePoint (including the 2007 version).
      And right, the page will save the HTML, whether it is entered manually or written by a script. This one is new, as inline editing didn’t exist in SP 2007. This is the reason why for example the Easy Tabs v5 don’t run in edit mode, a behavior I had to correct from the previous version built for SP 2007.

      Reply
  2. Nice to see someone trying to set the record straight. And- never underestimate the joy-producing powers of having your computer say Hi! to you, even if you were the one that made it do it!! ;-D

    Reply
  3. I think the speakers at SPTechCon were talking about the scriptable web parts feature which designates weparts that can run scripts the user adds, which can be dangerous if any old contributer can do. To mitigate this Microsoft added a option in central admin security for web part pages that will block contributers from editing web parts (like the content editor) that allow scripting. However, owners will still be able to edit the web parts. When developing web parts we now have a option to assign a web part as scriptable to take advanage of this for custom web parts.

    Reply
  4. I still see that scripting is not supported in Normal Page editing though it possible in CEWP. When I asked a Microsoft Architect regarding this he confirmed that because of cross site scripting it is not allowed in Normal Page editing. If that is case then why in CEWP? Why CEWP supports but Normal does not?

    Reply
    • Arijit:

      I’m not sure I understand your question. SharePoint will strip script out of Wiki text, if that’s what you mean. It doesn’t have anything to do with cross-site scripting, though.

      M.

      Reply

Have a thought or opinion?