Most of the developers use the custom scripts to customize the SharePoint objects, data, to access and manipulate the SharePoint resources. In SharePoint, as an admin, you can allow or prohibit custom scripts to be added into site collection so that no one would be able to inject scripts into SharePoint.

Why BLOCK the scripts?

• If any user has Add and Customize Page permission, the user will be able to inject the script on the page.
• Once you allow the scripting, you won’t be able to know,
  • What all the code is inserted on the site
  • Who has inserted the Script
  • Where exactly the code is inserted
• Whatever access the logged user has on all the objects, the script inserted on the page, is also having the same access. The malicious script can harm your SharePoint objects.
• You cannot put governance on the inserted code. You can also not define the scope and capabilities of the inserted code.
• Once the code is inserted, you cannot block some of the code and allow the rest of the code.

Output when you block the scripts on site

If scripts are not enabled and you try to add any of the web parts (e.g. Script Editor Web Part), you will get an error like below.

It reads like: A Web Part or Web Form Control on this Page cannot be displayed or imported. You don’t have Add and Customize Pages permissions required to perform this action.

You can look at the features affected when custom script is blocked

Enable Custom Script in SharePoint Online manually

• You should be Tenant Admin to perform this action.
• Click on breadcrumb >> Click on Admin

• Click on SharePoint from Left-hand panel

• A page opens when you click on SharePoint in the above step. You can directly open this page just by typing this URL in your browser.Go to https://<tenantprefix>-admin.sharepoint.com (SharePoint Admin Center)
• Click on Settings

• Go to the classic settings page.

• A Settings page will open. Scroll down in the settings page until you get the option – Custom Script

• Tick on Allow users to run custom script on personal sites
• Tick on Allow users to run custom script on self-service created sites
• Click on OK. 

  Note:

  This setting may take up to 24 hours to take effect.

Enable Custom Script in SharePoint Online using PowerShell Script

In the SharePoint Online site, if the script is disabled, you will not be able to add the script editor web part on the page as shown below.

Now, we will run a PowerShell script to enable the script in Site Collection.

You will need to download SharePoint Online Management Shell to run the script mentioned below.

• Open SharePoint Online ManageentShell.
• Script:

• DenyAddAndCustomizePages : If you set 1, the command will Disable the custom scripting on the site collection
• DenyAddAndCustomizePages : If you set 0, the command will Enable the custom scripting on the site collection. You can see the result after running this command in the screenshot below. Script Editor Web part is visible.

Enable Custom Script in SharePoint on-premises manually

• Go Central administration >> Manage web applications
• Click on the web application that you want to set the security on and click on Web Part Security from Ribbon

• A pop up will open with Title – Security For Web Part Pages. Scroll till the bottom of the page.

• You will find an option – Scriptable Web Parts. Tick the option - Prevent contributors from adding or editing scriptable Web Parts as mentioned in the screenshot below