Is it bad for a cms to allow things to be inserted into the head section?

not sure if this is the correct section but here goes… so for many years our company used a cms system developed by myself. Which mostly worked pretty well. One feature that i thought was really useful and used regularly was a field which would allow me to insert things into the head section of my pages. So if i had a page that i needed to have some custom JS or a stylesheet to do something fancy i’d just add that into the field and hey presto it would output in the head of that page.

When the website was redeveloped (whilst i was off on parental leave for 6 months) it was completely redesigned and has nothing like this now and won’t even allow inline JS. I was told this was for security purposes.

What this means is that if i want just one page to be different we’d have to either add that css to the main stylesheet which would then be called for every page or make a custom template for that page, which just isn’t practical.

So my question is - Is what i was doing a bad thing to do and if so why?

I am keen to have this built back in as it was incredibily useful and to my mind was a key advantage of my system over others.

any thoughts appreciated.


So is your new cms in wordpress? It is better to include any javascript on header.php or footer.php. Then it would be called by all the pages. No need for inline JS.

I hope I could answer what you are looking for.

I suppose there’s always a risk of someone doing something that shouldn’t have been done, even if not intentionally, accidentally. But I see no reason why letting trusted competent company staff call in CSS or JavaScript in the <head> would be a security risk as long as they knew what they were doing.

I suspect you were misinformed and the true reason was to remove render-blocking for an imagined SEO benefit. The fact that you now need to add your “only for one page” CSS to a site-wide file is consistent with having combined files to reduce the number of HTTP requests.

If you run a page through PageSeed Insights do you get a passing grade?

That is very well possible, to prevent XSS. They probably put a Content Security Policy in place that prevents inline JS from being run.

This is becoming more and more of a standard practice nowadays.

From memory i think this was the cited reason. But as long as the person putting any JS up is competant I don’t think putting the odd bit of js like a countdown timer i think the risk would be negligable as most staff wouldn’t even know they could do it and if it was locked down to specific staff it would be no worse than allowing web devs access to the server. Unless i am missing something.

@Mittineague good guess and could possibly be part of the reason but i don’t think that was the entire reason as our site now has a bloated bootstrap css and another overriding stylesheet. My old site blows this one out of the water on speed and SEO techniques. It was built by back end devs so front end wasn’t high priority. For a while our site had a homepage that was 7mb!!! as no one was checking what file size images were being uploaded. Along with 30 validation errors (most of which still exist).

probably shouldn’t air my dirty laundry though as it was more about the concept, as it was something i’d use again (and in other projects) if it isn’t the most dangerous thing in the world.

thanks all

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.