We’re working on launching the Product Updates feature and have run into a series of issues with the current scope of the text editor functionality. Many of the answers found here addressed some of our questions and concerns (I love that about this community!), but while many points are on a roadmap somewhere (eg. attachments), there is an important one that as I read the answers to, only made me more curious.
The text editor itself is frankly very limited for Product Updates. At first when our team saw the <> (Source) function we assumed it would be fine and we could easily find workarounds using html and css. That… has not been that case as has been addressed in many a topic here, and all of the answers that I’ve seen regarding the deletion of any html beyond the very basic tags has been that it’s a security issue. I just… have a question about that. We’re very big on security over here, but would it not be better to simply make the ability to touch source code extremely limited based on permissions? We can give the permission to upload files, so can we do this with touching the html/css? In theory this should be a risk assumed by the client, in part mitigated by developing the source feature in a way that prevents injecting anything like js.
If it’s limited to an admin and only accessible in the control environment, would it not be a better user experience to allow for a wider range of styling and formatting for the client through opening up the Source feature, with the burden of security/functionality being on the client as it is with anything else that we customize? If there’s a worry of too many folks having it, would there ever be a way to allow the inSided team to grant that access to specific users rather than even having it fall under a role? (eg: we have a vendor that gives ONE particular super user for our CRM special access to highly sensitive features even though we have multiple super users, those special permissions are all controlled by the vendor.)
This has been a big pain point for our team as they’re used to being able to bring in someone skilled with html/css to work on emails and even landing pages within our current CRM. That’s a risk that we (and all of their many clients) take on and permissions are heavily limited, which made me curious about the answers around security concerns. Of course, I’m not a cyber security specialist, which is why I’m looking for more details!!
