What are the risks of deploying the react-script-editor web part inside our SharePoint online tenant

Question

What are the risks of deploying the react-script-editor web part inside our SharePoint online tenant

john john 1,021

I am working on a new SharePoint online tenant, and one of the requirements is to have a modern web part that is similar to the popular on-premises/classic Script Editor web part.

so i found this SPfx web part @ react-script-editor , which mimic the on-premises/classic Script Editor web part.

but i have these questions about this web part:-

1) Is it unsafe to have this web part inside the online SharePoint sites? In our case some sites have all users are contributors, so all users can create modern pages and hence add this react-script-editor web part to the modern pages they create.

2) If the answer to question-1 is Yes (using this web part is unsafe), then what can users do with this web part? or what are the risks we will be exposed to? For example can a user write a script inside this web part which get the users' passwords and save them to external system ??

3) If it is unsafe to use the react-script-editor web part out of the box, then are there any steps we can take to minimize the risks that this web part can cause?

Thanks

1 answer

Your answer

Answer 1

RaytheonXie_MSFT 40,471 Microsoft External Staff

Hi @john john ,
All client-side web parts are deployed or enabled to be available in site level by tenant administrator using tenant app catalog. If there are concerns on enabling script options in a tenant, this web part or a approach should not be approved by tenant administrators. Unfortunately there seems no such function to change the permission of tenant administrator to these web parts currently.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

john john 1,021 Reputation points

2021-11-12T06:13:46.683+00:00

@RaytheonXie_MSFT so you believe that using react-script-editor web part can opens the doors to potentially malicious activities on our SharePoint online sites?
RaytheonXie_MSFT 40,471 Reputation points Microsoft External Staff

2021-11-12T07:11:20.867+00:00

Hi @john john ,
If other tenant administrators use this web part and insert some unsafe script. Then what you worry about may happen. So please review the code before others publish to confirm the SharePoint online sites safe
john john 1,021 Reputation points

2021-11-12T14:00:43.697+00:00

@RaytheonXie_MSFT can i know what do you exactly mean by *If other tenant administrators use this web part and insert some unsafe script.* ? I mean if the site collection where this web part is enabled is not been shared with external users then we are fine?
RaytheonXie_MSFT 40,471 Reputation points Microsoft External Staff

2021-11-15T07:11:57.293+00:00

Hi @john john ,
External users who don't have permission to edit the page. So the risk of potentially malicious activities by external users is much lower.
RaytheonXie_MSFT 40,471 Reputation points Microsoft External Staff

2021-11-19T09:45:58.77+00:00

Hi @john john ,
Have you tried the solution I proposed?

If you have any questions or progress, you can contact me in time.

Looking forward to your reply

Have a lucky day!

Thanks,
Raytheon Xie

Share via

What are the risks of deploying the react-script-editor web part inside our SharePoint online tenant

1 answer

Your answer