Print this page

HTML email template error: "Your template contains active content, which can't be verified as safe"

Knowledge Article Number 000233234
Description Salesforce has introduced a “blacklist" filter feature to protect organizations from Cross Site Scripting (XSS) vulnerabilities in HTML email templates. As the name indicates, this feature prevents an HTML template from being saved if it includes tags and attributes that are known to be XSS vectors, such as JavaScript event handlers. The feature also prevents the use of such email templates by end-users and automated processes, like workflow rules, and change sets. The feature does not affect text or custom templates. 

With the Summer ‘16 release this feature was further enhanced to include extra security fixes to mitigate potential malicious exploits against organizations containing editing or using the templates.. This may translate to users encountering XSS errors at a more frequent rate than prior to the Summer ‘16 release.

Here are a few examples of known XSS vectors:  

<DIV onmouseout="MyJavaScript.MenuInjectionHandler.hideMenu(event)"
     onmouseover="MyJavaScript.MenuInjectionHandler.showMenu(this, event)"> </DIV>

<INPUT TYPE="IMAGE" SRC="javascript:alert('Code');">

<TABLE BACKGROUND="javascript:alert('Code')">

src="data:image/png;base64  -  
(When adding images to templates please link to publicly available images in the documents tab)

When the HTML editor detects any such XSS vectors, it will prevent the template from being saved and display the error message "Your template contains active content, which can't be verified as safe".

The error also happens when migrating HTML templates containing XSS vectors using change sets,  and when an automated process tries to use or update these templates.

In order to get rid of the error message, and to save an HTML template, administrators must edit their template and delete any XSS vectors that may be exploited.. 

For administrators who are comfortable with the Workbench utility, this tool can be used to extract the source code of the template to remove the XSS vectors, and import back into the organization. 

Workbench example (API enabled orgs only):

Users can inspect their templates by running SOQL queries similar to SELECT HtmlValue,Id FROM EmailTemplate WHERE Id = '00XQ0000000XXXX'. Using a tool such as Workbench ( or the Developer console in the application. Here users can update the table entry in Workbench or Edit and Save the "Row" in the Developer Console to remove the problematic tag.

Another, effective way of removing the XSS vectors is to copy the contents of the problem HTML template and paste them into a brand new template. The copy & paste operation will carry over the formatting in the template (images, fonts, colors, etc.), but will strip the XSS code.  You can also copy & paste the content to a text editor (Notepad, etc)  and then save the HTML template.

Either way, there might be some loss of functionality in the new template so thorough testing is strongly advised. 

promote demote