HTML Calculated Column - Security

When using certain column types in an HTMLCC formula, it might become possible for a list contributor to insert their own JavaScript into a page via the HTMLCC output.

Reasons why this is a concern

As an example; if the following formula was used (which shows the title in bold):

="<b>" & [Title] & "</b>"

If a user was to change the title of a list item to the following:

<script type="text/javascript">alert('I can run JS code');</script>

The list view would then display a message box whenever the page is opened.

Although this example is harmless, it demonstrates that it is possible for a list contributor to run JavaScript on other user's machines. A more worrying use would be code that accesses the SharePoint web services; which (if the list is viewed by an administrator) would allow the code full access to the SharePoint server's data.

How to avoid this issue

The HTMLCC formula validation will warn you if you include columns that are potentially a problem. The column types pose a possible threat:

  • Text
  • Calculated columns (with an output type of Text)
  • Choice (with fill-in values enabled)
If you are adding an HTMLCC column to a list where untrusted users can add or edit items, you should avoid using these column types in the formula.