GizmoSauce Logo
Browse
Help Center/Editor & Widgets/Media Library

Safe URL policy (XSS protection)

We block unsafe URL schemes to prevent script injection via href/src.

What is blocked

To protect you and your visitors, GizmoSauce sanitizes URLs used in links and media sources.

We allow common safe protocols like https: and http: (and sometimes mailto: / tel:), and block unsafe protocols such as javascript: and data:.

What you should do

If a URL is rejected or stripped, replace it with a normal https:// URL. When possible, use the Media Library’s Safe URL option to validate assets.

Choose the right source (Uploads vs Unsplash vs Safe URL)

The Media Library is designed to make widgets look professional without manual URL wrangling.

Common sources:

  • Uploads: best for brand assets (logos, product images, custom graphics).
  • Unsplash: best for tasteful stock imagery with proper attribution.
  • Safe URL: best for assets hosted on your own CDN or a stable image host.
  • Icons: best for UI-style visuals like buttons and badges.

If a widget supports Media Library selection, use it instead of pasting raw URLs. You’ll avoid broken links, unsafe protocols, and low-quality images.

Image quality (thumbnails vs full images)

Inside the picker, GizmoSauce may show thumbnails for speed. In the actual widget preview and embed, we render higher-quality images so the result stays crisp.

If you ever see blurry images in the live widget:

  • Confirm you selected the asset from the Media Library (not a pasted thumbnail URL).
  • Re-open the picker and re-select the asset.
  • Verify your theme isn’t forcing image-rendering rules globally.

Safe URL policy (why some links are blocked)

One of the most common browser security risks is injecting an unsafe URL into a link or image source.

GizmoSauce blocks unsafe URL schemes (like javascript: and data:) and allows safe ones like https:.

If a URL is rejected, replace it with a normal https URL or use the Media Library Safe URL tool to validate it.

Need help? Send the right details (so we can answer fast)

Support is fastest when we can reproduce the issue.

Please include:

  • The page URL where the widget is embedded (or the editor URL)
  • The platform/builder (WordPress, Webflow, Shopify, Squarespace, etc.)
  • What you expected to happen vs what you see
  • A screenshot of where the snippet is pasted (or a short screen recording)

If your issue involves a social connection (Instagram/Threads/TikTok), also include:

  • Which login path you used (Instagram vs Meta vs TikTok)
  • A screenshot of the provider error screen (if any)
  • Whether the account is Personal vs Business/Creator

Contact us here: /support.

FAQ

Can external social feeds inject scripts into the widget?

We render external text as plain text (not HTML) and sanitize URLs before placing them into href/src. This reduces the XSS surface significantly.