Recently, while putting together a story for a website at work, I wanted to include a collection of tweets as part of the story. No problem, right? Twitter has an “Embed Tweet” function specifically for this. Just go to the tweet you want, click “embed”, copy the code, paste into your website content editor, and …
Oh crap. This embed code has a <script> tag in it.
Why is this a problem? Let one web service (which shall remain anonymous) explain in its answer to a user asking why this service’s embed code isn’t working on his site:
Frequently, a CMS may automatically strip out the script tag or important fields from our embed code. We’ve seen this with some WordPress, Drupal, Joomla, Shopify, and other CMS installations that have either custom security settings or security plugins/add-ons that do this automatically.
… you will need to disable the security setting or configure your security plugin to allow our embed code. How you do this varies from CMS to CMS so you may have to do some searching on google or contact the person who manages your CMS to do this for you.
Oh, so your embed code likely doesn’t work with WordPress, Drupal, or Joomla. No biggie. Who uses those CMSes anyway?
Yet so many web services keep making embed codes that contain <script> tags, which pretty much renders their content unembeddable to anyone managing a site on a CMS. Disabling the security setting that strips out the <script> tag, as the tech support above suggests, is almost never a realistic option for a website manager. The security setting is there for a reason, and every programmer I’ve come across in the decade-plus that I’ve worked in web development has recommended against disabling it when this issue came up. Hmm. Open a possible backdoor to my company’s site that could wreak havoc, against the advice of my programmers, just so I can test out a new web tool? Why, yes please! While I’m at it, let me click on that mysterious link in the poorly written email from the shady-looking address warning me that my password had been compromised.
Sure, sometimes you can have your programmer add the script into the site header or the appropriate JS database to solve this issue, but that takes time — time you may not have when you’re working on deadline. Also, it may simply not be deemed worth the time or expense unless it’s something you will use frequently.
This is becoming a more frequent issue as more and more of the websites shift to running on CMSes while more and more content are being generated on third-party web services like Twitter and Facebook. As a content producer, you want to experiment with new tools to enrich your storytelling. Yet, when it comes time to pull the content from those web services into your site, well, let’s just say there’s a reason a web service’s embed function is among the first things I look at when considering whether to use that service for work.