what are the security risks that we might face if we deploy the react-script-editor web part

%3CLINGO-SUB%20id%3D%22lingo-sub-2957031%22%20slang%3D%22en-US%22%3Ewhat%20are%20the%20security%20risks%20that%20we%20might%20face%20if%20we%20deploy%20the%20react-script-editor%20web%20part%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2957031%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3EI%20am%20working%20on%20a%20new%20SharePoint%20online%20tenant%2C%20and%20one%20of%20the%20requirements%20is%20to%20have%20a%20modern%20web%20part%20that%20is%20similar%20to%20the%20popular%20on-premises%2Fclassic%20Script%20Editor%20web%20part.%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CP%3Eso%20i%20found%20this%20SPfx%20web%20part%20%40%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fpnp%2Fsp-dev-fx-webparts%2Ftree%2Fmain%2Fsamples%2Freact-script-editor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fpnp%2Fsp-dev-fx-webparts%2Ftree%2Fmain%2Fsamples%2Freact-script-editor%3C%2FA%3E%2C%20which%20mimic%20the%20on-premises%2Fclassic%20Script%20Editor%20web%20part.%3C%2FP%3E%3CP%3Ebut%20i%20have%20these%20questions%20about%20this%20web%20part%3A-%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3EIs%20it%20unsafe%20to%20have%20this%20web%20part%20inside%20the%20online%20SharePoint%20sites%3F%20In%20our%20case%20some%20sites%20have%20all%20users%20are%20contributors%2C%20so%20all%20user%20can%20create%20modern%20pages%20and%20hence%20add%20this%20react-script-editor%20web%20part%20to%20the%20modern%20pages%20they%20create.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EIf%20the%20answer%20to%20question-1%20is%20Yes%20(using%20this%20web%20part%20is%20unsafe)%2C%20then%20what%20can%20users%20do%20with%20this%20web%20part%3F%20or%20what%20are%20the%20risks%20we%20will%20be%20exposed%20to%3F%20For%20example%20can%20a%20user%20write%20a%20script%20inside%20this%20web%20part%20which%20get%20the%20users'%20passwords%20and%20save%20them%20to%20external%20system%20%3F%3F%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EIf%20it%20is%20unsafe%20to%20use%20the%20react-script-editor%20web%20part%20out%20of%20the%20box%2C%20then%20are%20there%20any%20steps%20we%20can%20take%20to%20minimize%20the%20risks%20that%20this%20web%20part%20can%20cause%3F%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThanks%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2957031%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Valued Contributor
I am working on a new SharePoint online tenant, and one of the requirements is to have a modern web part that is similar to the popular on-premises/classic Script Editor web part.

so i found this SPfx web part @ https://github.com/pnp/sp-dev-fx-webparts/tree/main/samples/react-script-editor, which mimic the on-premises/classic Script Editor web part.

but i have these questions about this web part:-

  1. Is it unsafe to have this web part inside the online SharePoint sites? In our case some sites have all users are contributors, so all users can create modern pages and hence add this react-script-editor web part to the modern pages they create.

  2. If the answer to question-1 is Yes (using this web part is unsafe), then what can users do with this web part? or what are the risks we will be exposed to? For example can a user write a script inside this web part which get the users' passwords and save them to external system ??

  3. If it is unsafe to use the react-script-editor web part out of the box, then are there any steps we can take to minimize the risks that this web part can cause?

Thanks

0 Replies