MC397486 – Custom Formatters allow users to write declarative JSON to emit HTML. The “filepreview” elmType was introduced to show thumbnails in SharePoint document libraries with a fallback “fileType icon” for the cases when thumbnails aren’t available.
Microsoft came across a usage of this feature that allowed embedding external URLs on a SharePoint list. While Microsoft understands the powerful scenarios this could open up, Microsoft would want to make sure it permits it post due diligence and after addressing any security concerns.
As an immediate step, Microsoft is restricting the feature to what it was initially intended to achieve, i.e., to show file thumbnails/previews.
When this will happen:
This change has been rolled out and Microsoft apologizes for not providing notice prior.
How this will affect your organization:
All URLs other than those which match the ones for thumbnails will be blocked. Users will not be able to embed external resources like SharePoint pages, lists, WXP files, Stream videos and YouTube videos on a SharePoint list.
At a late time, Microsoft will allow-list the URLs in a phased manner after ensuring the feature does not expose any security loopholes or lead to performance degradation. A separate communication will follow for the same.
What you need to do to prepare:
No action is required. You may consider notifying users about this change and update your training and documentation as appropriate.
More information:
Previous Microsoft Office Changelog Messages
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.