HTML embed
The HTML embed feature lets you embed any HTML snippet in your content. The feature is meant for more advanced users who want to directly interact with HTML fragments.
Use the HTML embed toolbar button 
in the editor below to see the plugin in action. Click the βPreview editor dataβ button under the editor to preview the editor content, including the embedded HTML.
CKEditor 5 HTML Embed feature
The feature may be used to embed advanced textual content, both static and generated, that boosts discoverability, cross-language support, and accessibility. See examples below.
Advanced HTML markup
It allows authors to use advanced HTML markup within the content.
Scripted content
It can be used to produce generated content that is complicated under the surface but simple for the end user.
This feature lets you embed any HTML code and bypass CKEditor 5βs filtering mechanisms. You can use it to enrich content produced by CKEditor 5 with fragments of HTML that are not supported by any other CKEditor 5 feature.
Some examples of content that you can embed thanks to the HTML embed feature:
- Analytics code (that usually requires embedding
<script>elements). - Social page widgets (that also require embedding
<script>elements). - Content embeddable by
<iframe>elements. - HTML media elements such as
<audio>and<video>. - HTML snippets produced by external tools (for example, reports or charts).
- Interactive content that requires a combination of rich HTML and scripts.
We recommended using the media embed feature for embeddable media that this feature supports. You can use the HTML embed feature to handle the remaining content.
Read the Security section before installing this plugin.
Incorrect configuration may lead to security issues.
After installing the editor, add the feature to your plugin list and toolbar configuration:
import { ClassicEditor, HtmlEmbed } from 'ckeditor5';
ClassicEditor
.create( document.querySelector( '#editor' ), {
licenseKey: '<YOUR_LICENSE_KEY>', // Or 'GPL'.
plugins: [ HtmlEmbed, /* ... */ ],
toolbar: [ 'htmlEmbed', /* ... */ ],
htmlEmbed: {
// Configuration.
}
} )
.then( /* ... */ )
.catch( /* ... */ );The feature is by default configured to not show previews of the HTML snippets. You can enable the previews by setting the config.htmlEmbed.showPreviews option to true.
However, by showing previews of the embedded HTML snippets, you expose the users of your system to the risk of executing malicious JavaScript code inside the editor. Therefore, it is highly recommended to plug in some HTML sanitizer that will strip the malicious code from the created snippets before rendering their previews. You can plug in the sanitizer by defining the config.htmlEmbed.sanitizeHtml option.
ClassicEditor
.create( document.querySelector( '#editor' ), {
// ... Other configuration options ...
htmlEmbed: {
showPreviews: true,
sanitizeHtml: ( inputHtml ) => {
// Strip unsafe elements and attributes, for example:
// the `<script>` elements and `on*` attributes.
const outputHtml = sanitize( inputHtml );
return {
html: outputHtml,
// true or false depending on whether the sanitizer stripped anything.
hasChanged: true
};
}
}
} )
.then( /* ... */ )
.catch( /* ... */ );
Currently, the feature does not execute <script> tags so the content that requires executing JavaScript to generate a preview will not show in the editor. However, other JavaScript code, for example, used in on* observers and src="javascript:..." attributes will be executed. You still need to enable the sanitizer.
Displaying raw HTML previews can execute malicious JS (for example via onclick or javascript:) in your siteβs context. Read more about the security aspect in the next section.
If you configure the HTML embed feature to show content previews, the HTML that the user inserts into the HTML embed widget is then rendered back to the user. **If the HTML was rendered as-is, the browser would execute any JavaScript code included in these HTML snippets in the context of your website.
This, in turn, is a plain security risk. The HTML provided by the user might be mistakenly copied from a malicious website. It could also end up in the userβs clipboard (as it would usually be copied and pasted) by any other means.
You can instruct some advanced users to never paste HTML code from untrusted sources. However, in most cases, it is highly recommended to secure the system by configuring the HTML embed feature to use an HTML sanitizer and, optionally, by setting strict Content Security Policy (CSP) rules.
The tricky part is that some HTML snippets require executing JavaScript to render any meaningful previews (for example, Facebook embeds). Some, in turn, do not make sense to execute (like analytics code).
Therefore, when configuring the sanitizer and CSP rules, you can take these situations into consideration and for instance, allow <script> tags pointing only to certain domains (like a trusted external page that requires JavaScript).
Scripts may not run in the <script> tags in previews, but inline JS in attributes will. Always sanitize or limit allowed sources to stay safe!
The config.htmlEmbed.sanitizeHtml option allows plugging an external sanitizer.
Some popular JavaScript libraries that you can use include sanitize-html and DOMPurify.
The default settings of these libraries usually strip all potentially malicious content including <iframe>, <video>, or similar elements and JavaScript code coming from trusted sources. You may need to adjust their settings to match your needs.
When showPreviews = true, use libraries like DOMPurify or sanitize-html to prevent XSS Attacks. Sample code may look similar to this:
sanitizeHtml: inputHtml => {
const safe = DOMPurify.sanitize(inputHtml, {...});
return { html: safe, hasChanged: safe !== inputHtml };
}
Adjust allowed tags/attributes (for example: permit iframe only from trusted domains) to balance functionality and safety. Consider pairing this with CSP for stronger security. Check the Content previews and Security sections of this guide for more details.
In addition to sanitizing content, you can utilize the built-in browser mechanism called Content Security Policy. By using CSP, the browser recognizes allowed sources and methods of executing JavaScript code. It also allows including other resources such as style sheets, images, and fonts. Check out the dedicated Content Security Policy setup guide.
CKEditor 5 supports a wider range of embed and code features, including:
- Media embed β Insert embeddable media such as YouTube or Vimeo videos and tweets into your rich text content.
- Code blocks β Insert longer, multiline listings of pre-formatted code with a programming language assigned.
- General HTML Support β Enable HTML features (elements, attributes, classes, styles) that are not supported by other dedicated CKEditor 5 plugins.
The HtmlEmbed plugin registers:
- The UI button component (
'htmlEmbed'). - The
'htmlEmbed'command implemented byHtmlEmbedCommand.
You can execute the command using the editor.execute() method:
// Inserts an empty HTML embed.
editor.execute( 'htmlEmbed' );
// Inserts an HTML embed with some initial content.
editor.execute( 'htmlEmbed', '<b>Initial content</b>.' );
// Updates the content of a selected HTML embed.
editor.execute( 'htmlEmbed', '<b>New content.</b>' );
We recommend using the official CKEditor 5 inspector for development and debugging. It will give you tons of useful information about the state of the editor such as internal data structures, selection, commands, and many more.
The source code of the feature is available on GitHub at https://github.com/ckeditor/ckeditor5/tree/master/packages/ckeditor5-html-embed.