Categories
Skip Navigation Links

Enable or Disable custom scripts for SharePoint

Most of the developers use the custom scripts to customize the SharePoint objects, data, to access and manipulate the SharePoint resources. In SharePoint, as an admin, you can allow or prohibit custom scripts to be added into site collection so that no one would be able to inject scripts into SharePoint.

Why BLOCK the scripts?

  • If any user has Add and Customize Page permission, the user will be able to inject the script on the page.
  • Once you allow the scripting, you won’t be able to know,
    • What all the code is inserted on the site
    • Who has inserted the Script
    • Where exactly the code is inserted
  • Whatever access the logged user has on all the objects, the script inserted on the page, is also having the same access. The malicious script can harm your SharePoint objects.
  • You cannot put governance on the inserted code. You can also not define the scope and capabilities of the inserted code.
  • Once the code is inserted, you cannot block some of the code and allow the rest of the code.

Notes:

  • By default, the script is allowed on the sites created by Tenant Admin.
  • BUT scripts are not allowed on OneDrive, Sites created by Users and Root site of the organization.
  • From Microsoft: If SharePoint was set up for your organization before 2015, your custom script settings might still be set to "Not Configured" even though in the SharePoint admin center they appear to be set to prevent users from running custom script. In this case, users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint. On the settings page of the SharePoint admin center, select OK to accept the custom script settings as they appear and enable cross-site copying.

Output when you block the scripts on site

If scripts are not enabled and you try to add any of the web parts (e.g. Script Editor Web Part), you will get an error like below.

Output when you block the scripts on site

It reads like: A Web Part or Web Form Control on this Page cannot be displayed or imported. You don’t have Add and Customize Pages permissions required to perform this action.

You can look at the features affected when custom script is blocked

Enable Custom Script in SharePoint Online manually

  • You should be Tenant Admin to perform this action.
  • Click on breadcrumb >> Click on Admin
  • Misrosoft o365 admin center navigation
  • Click on SharePoint from Left-hand panel
  • SharePoint Admin Center navigation
  • A page opens when you click on SharePoint in the above step. You can directly open this page just by typing this URL in your browser.Go to https://<tenantprefix>-admin.sharepoint.com (SharePoint Admin Center)
  • Click on Settings
  • sharepoint admin center settings navigation
  • Go to the classic settings page.
  • sharepoint admin center classic settings navigation
  • A Settings page will open. Scroll down in the settings page until you get the option – Custom Script
  • Custom Script option
  • Tick on Allow users to run custom script on personal sites
  • Tick on Allow users to run custom script on self-service created sites
  • Click on OK

    Note:

    This setting may take up to 24 hours to take effect.

Enable Custom Script in SharePoint Online using PowerShell Script

In the SharePoint Online site, if the script is disabled, you will not be able to add the script editor web part on the page as shown below.

Disabled Cusom Script

Now, we will run a PowerShell script to enable the script in Site Collection.

You will need to download SharePoint Online Management Shell to run the script mentioned below.

  • Open SharePoint Online ManageentShell.
  • Script:
  • # Provide SharePoint Admin Center URL
  • # after running this first command a popup will open and will ask to enter the credentials.
  • Connect-SPOService -Url https://<tenantprefix>-admin.sharepoint.com
  •  
  • # Provide Site Collection URL over here
  • Set-SPOSite -Identity http://MyServer/sites/MySiteCollection -DenyAddAndCustomizePages 0
  • DenyAddAndCustomizePages : If you set 1, the command will Disable the custom scripting on the site collection
  • DenyAddAndCustomizePages : If you set 0, the command will Enable the custom scripting on the site collection. You can see the result after running this command in the screenshot below. Script Editor Web part is visible.
  • Enabled Cusom Script

Note:

This setting will immediately take the effect.

Enable Custom Script in SharePoint on-premises manually

  • Go Central administration >> Manage web applications
  • Click on the web application that you want to set the security on and click on Web Part Security from Ribbon
  • Web Part Security Navigation
  • A pop up will open with Title – Security For Web Part Pages. Scroll till the bottom of the page.
  • Scriptable Webparts
  • You will find an option – Scriptable Web Parts. Tick the option - Prevent contributors from adding or editing scriptable Web Parts as mentioned in the screenshot below

Note:

  • This setting will immediately take the effect.
  • The user with Contribute access will not be able to use Script web parts. BUT Site Collection Administrator will still be able to add scripts. I have personally tested this. Let me know your feedback on this in the comments below.

We value your Feedback:

Page URL:

Name:

 

Email:

 
 

Suggestion:

 

© 2020 Code SharePoint