Our Content Management System, OmniUpdate, allows users to create reusable pieces of content called assets. As of this post, there are five different types of assets and two of them and two of them allow the user to add source code: Web Content and Source Code.

We disabled the average user to create Source Code assets but we wanted them to be able to create Web Content assets. The concern is that the toolbar contains a [source] button that we can’t disable.

OmniUpdate Source Code Button in Editor

We had a conversation about removing the option to create Web Content assets but determined that the average user should be able to create this type of content. To prevent the users from adding scripts we use a template match in the XSL to remove inline JavaScript:

Our editable regions all start with <ouc:div /> which gets matched first. Then the asterisk is a wild card followed by script match. The pipe | is an OR operator and it’s looking for script tags that are in the root of <ouc:div/>.

The script is replaced with a comment telling the user that the script has been removed. At first, I thought about wrapping the script with a content tag, but I didn’t want users trying to get around that. This way, the user is prevented from adding any javascript in the editable regions.