Contribute to this guide

guideHTML embed

The HtmlEmbed plugin allows embedding an arbitrary HTML snippet in the editor. The feature is targeted at more advanced users who want to directly interact with HTML fragments.

This feature can be used to embed any HTML code and bypass the CKEditor 5’s filtering mechanisms. Thanks to that it is possible to enrich content produced by CKEditor 5 with fragments of HTML that are not supported by any other CKEditor 5 feature.

Some examples of content that can be embedded thanks to the HTML embed feature:

  • Analytics code (that usually require embedding <script> elements).
  • Social page widgets (that also require embedding <script> elements).
  • Content embeddable by <iframe> elements.
  • HTML media elements such as <audio> and <video>.
  • HTML snippets produced by external tools (for example, reports or charts).
  • Interactive content that requires a combination of rich HTML and scripts.

It is recommended to use the media embed feature for embeddable media that are supported by this feature. The HTML embed feature can be used to handle remaining content.

Read the Security section before installing this plugin.

Incorrect configuration may lead to security issues.

# Demo

Use the HTML embed toolbar button HTML embed in the editor below to see the plugin in action. Click the “Preview editor data” button below the editor to see a preview of the editor content, including the embedded HTML.

CKEditor 5 supports a wider range of embed and code features, including:

  • Media embed – Insert embeddable media such as YouTube or Vimeo videos and tweets into your rich text content.
  • Code blocks – Insert longer, multiline listings of pre-formatted code with a programming language assigned.

# Installation

To add this feature to your rich-text editor, install the @ckeditor/ckeditor5-html-embed package:

npm install --save @ckeditor/ckeditor5-html-embed

And add it to your plugin list configuration:

import HtmlEmbed from '@ckeditor/ckeditor5-html-embed/src/htmlembed';

ClassicEditor
    .create( document.querySelector( '#editor' ), {
        plugins: [ HtmlEmbed, ... ],
        toolbar: [ 'htmlEmbed', ... ],
    } )
    .then( ... )
    .catch( ... );

Read more about installing plugins.

# Configuration

# Content previews

The feature is by default configured to not show previews of the HTML snippets. The previews can be enabled by setting the config.htmlEmbed.showPreviews option to true.

However, by showing previews of the embedded HTML snippets, you expose the users of your system to the risk of executing malicious JavaScript code inside the editor. Therefore, it is highly recommended to plug some HTML sanitizer that will strip the malicious code from the created snippets before rendering their previews. The sanitizer can be plugged by defining the config.htmlEmbed.sanitizeHtml option.

ClassicEditor
    .create( document.querySelector( '#editor' ), {
        plugins: [ HtmlEmbed, ... ],
        toolbar: [ 'htmlEmbed', ... ],
        htmlEmbed: {
            showPreviews: true,
            sanitizeHtml: ( inputHtml ) => {
                // Strip unsafe elements and attributes, e.g.:
                // the `<script>` elements and `on*` attributes.
                const outputHtml = sanitize( inputHtml );

                return {
                    html: outputHtml,
                    // true or false depending on whether the sanitizer stripped anything.
                    hasChanged: true
                };
            }
        }
    } )
    .then( ... )
    .catch( ... );

Currently, the feature does not execute <script> tags so the content that requires executing JavaScript in order to generate a preview will not show in the editor. However, other JavaScript code, for example, used in on* observers and src="javascript:..." attributes will be executed and therefore a sanitizer still needs to be enabled.

Read more about the security aspect in the next section.

# Security

If the HTML embed feature is configured to show content previews, the HTML that the user inserts into the HTML embed widget is then rendered back to the user. If the HTML was rendered as-is, any JavaScript code included in these HTML snippets would be executed by the browser in the context of your website.

This, in turn, is a plain security risk. The HTML provided by the user might be mistakenly copied from a malicious website or end up in the user’s clipboard (as it would usually be copied and pasted) by any other means.

In some cases, advanced users can be instructed to never paste HTML code from untrusted sources. However, in most cases, it is highly recommended to properly secure the system by configuring the HTML embed feature to use an HTML sanitizer and, optionally, by setting strict CSP rules.

The HTML embed feature does not currently execute code in <script> tags. However, it will execute code in the on* and src="javascript:..." attributes.

The tricky part is that some HTML snippets require JavaScript to be executed to render any meaningful previews (for example, Facebook embeds). Some, in turn, do not make sense to be executed (analytics code).

Therefore, when configuring the sanitizer and CSP rules, you can take these situations into consideration and for instance, allow <script> tags pointing only to certain domains (e.g. a trusted external page that requires JavaScript).

# Sanitizer

The config.htmlEmbed.sanitizeHtml option allows plugging an external sanitizer.

Some popular JavaScript libraries that can be used include sanitize-html and DOMPurify.

The default settings of these libraries usually strip all potentially malicious content including <iframe>, <video>, etc. elements and JavaScript code coming from trusted sources so you may need to adjust their settings to match your needs.

# CSP

In addition to using a sanitizer, you can use the built-in browser mechanism called Content Security Policy. By using CSP you can let the browser know the allowed sources and means to execute JavaScript code and include other resources such as stylesheets, images and fonts.

# Common API

The HtmlEmbed plugin registers:

Both commands can be executed using the editor.execute() method:

editor.execute( 'insertHtmlEmbed' );
editor.execute( 'updateHtmlEmbed', '<p>HTML string</p>' );

We recommend using the official CKEditor 5 inspector for development and debugging. It will give you tons of useful information about the state of the editor such as internal data structures, selection, commands, and many more.

# Contribute

The source code of the feature is available on GitHub in https://github.com/ckeditor/ckeditor5/tree/master/packages/ckeditor5-html-embed.