Custom Formatters allow users to write declarative JSON to emit HTML. The “filepreview” elmType was introduced to show thumbnails in SharePoint document libraries with a fallback “fileType icon” for the cases when thumbnails aren’t available.
We came across a usage of this feature that allowed embedding external URLs on a SharePoint list. While we understand the powerful scenarios this could open up, we would want to make sure we permit it post due diligence and after addressing any security concerns.
As an immediate step, we are restricting the feature to what it was initially intended to achieve, i.e., to show file thumbnails/previews.
When this will happen
This change has been rolled out and we apologize for not providing notice prior.
How this will affect your organization
All URLs other than those which match the ones for thumbnails will be blocked. Users will not be able to embed external resources like SharePoint pages, lists, WXP files, Stream videos and YouTube videos on a SharePoint list.
At a late time, we will allow-list the URLs in a phased manner after ensuring the feature does not expose any security loopholes or lead to performance degradation. A separate communication will follow for the same.
What you need to do to prepare
No action is required. You may consider notifying users about this change and update your training and documentation as appropriate.
More information
Message ID: MC397486
Published: 06 July 2022
Updated: 06 July 2022
Platform: Online, World tenant