Loading

HTML email template error 'Your template contains active content, which can't be verified as safe'

Date de publication: May 5, 2026
Description


Salesforce has introduced a "blocklist" filter feature to protect organizations from Cross-Site Scripting (XSS) vulnerabilities in HTML email templates. Cross-Site Scripting (XSS) refers to a type of security vulnerability where malicious code is injected into web content to execute unauthorized actions. This feature prevents an HTML email template from being saved if it includes tags and attributes that are known to be XSS vectors, such as JavaScript event handlers.
The blocklist feature also prevents the use of such email templates by end users and automated processes such as workflow rules and change sets. The feature does not affect text or custom email templates.

Examples of XSS Vectors That Trigger This Error

The following types of HTML content are flagged by the Salesforce HTML editor as potential XSS vectors:

  • HTML elements with JavaScript event handlers, such as an HTML div element that includes onmouseout or onmouseover attributes containing JavaScript function calls.
    <DIV onmouseout="MyJavaScript.MenuInjectionHandler.hideMenu(event)"
         onmouseover="MyJavaScript.MenuInjectionHandler.showMenu(this, event)"> </DIV>
  • Image tags that use JavaScript in the SRC attribute, such as an INPUT element of TYPE IMAGE where the SRC is set to a javascript: protocol URL.
    <INPUT TYPE="IMAGE" SRC="javascript:alert('Code');">
  • Table elements that include JavaScript in the BACKGROUND attribute.
    <TABLE BACKGROUND="javascript:alert('Code')">
  • Images embedded using base64-encoded data URIs (beginning with src="data:image/png;base64"). Note: When adding images to templates, link to publicly available images in the Documents tab instead. Review Learn how to upload images for 'HTML (using Classic Letterhead)' email templates.)

    When the HTML editor detects any of these XSS vectors, it prevents the template from saving and displays the error message: "Your template contains active content, which can't be verified as safe."
    The error also appears when:
  • Migrating HTML templates containing XSS vectors using change sets.
  • An automated process tries to use or update these templates.


See also
Create Custom HTML Email Templates in Salesforce Classic
Create an Email Template in Lightning Experience

Résolution

This article explains how to identify and remove Cross-Site Scripting (XSS) vectors from Salesforce HTML email templates to resolve the "active content" save error. Administrators must edit the template and remove any XSS vectors before the template can be saved and used.

Option 1: Edit the Template Directly

Open the HTML email template in the Salesforce template editor. Review the HTML source for any JavaScript event handlers, JavaScript-based SRC attributes, or base64 image data. Delete these elements from the template. After saving, test the template to confirm full functionality.

Option 2: Use Workbench to Extract and Clean the Template

Workbench is a free, open-source utility for interacting with Salesforce APIs. It is available to organizations with API access enabled.
To use Workbench:

  1. Log in to Workbench and navigate to Utilities > SOQL Query. 
  2. Run a query to retrieve the HTML source of the affected template. For example, query the EmailTemplate object using the template's ID to retrieve the HtmlValue field. (SELECT HtmlValue, Id FROM EmailTemplate WHERE Id = '00XQ0000000XXXX')
  3. Copy the HtmlValue content and paste it into a text editor such as Notepad or Visual Studio Code.
  4. Remove any JavaScript event handlers or unsafe HTML attributes identified in the source.
  5. Use Workbench to update the EmailTemplate record with the cleaned HtmlValue.

Option 3: Copy and Paste Into a New Template

Another effective approach is to copy the contents of the problematic HTML template and paste them into a brand new template. The copy-and-paste operation preserves formatting such as images, fonts, and colors, but removes the XSS code. You can also paste the content into a plain text editor first, then paste back into the new template to strip all formatting.

Check for Browser Extensions Adding External Code

In some cases, browser extensions or the browser itself may be injecting external code into the template editor. Try disabling all browser extensions or using an incognito (private) browser window to see if this resolves the error. A quick audit of your organization's setup may also be needed.


Note: There may be some loss of functionality in the cleaned template, so thorough testing is strongly advised before making the template available to users or automated processes.

Numéro d’article de la base de connaissances

000387065

 
Chargement
Salesforce Help | Article