XSS and safe embeds

To reduce XSS risk, GizmoSauce:

• Renders external text as text (not HTML)
• Sanitizes URLs used in href/src
• Serves non-image uploads as downloads by default
• Isolates widget styles and DOM

This defense-in-depth approach makes it much harder for unsafe content to execute in your visitors’ browsers.

If you embed third‑party URLs inside a widget, always use normal https:// links. Avoid pasting untrusted HTML into any widget fields.

A common XSS pattern is injecting an unsafe URL into a link or image source. GizmoSauce blocks unsafe URL schemes (like javascript:) and allows safe protocols like https:.

If you paste a URL and it gets removed, replace it with a normal https URL or use the Media Library Safe URL tool to validate it.

No single technique is perfect, so GizmoSauce uses multiple layers:

• External text rendered as text (not HTML)
• URL sanitizing for href/src
• Style and DOM isolation
• Conservative defaults for non-image uploads

This reduces the chance that unsafe content from an external source can execute in your visitors’ browsers.

Support is fastest when we can reproduce the issue.

Please include:

• The page URL where the widget is embedded (or the editor URL)
• The platform/builder (WordPress, Webflow, Shopify, Squarespace, etc.)
• What you expected to happen vs what you see
• A screenshot of where the snippet is pasted (or a short screen recording)

If your issue involves a social connection (Instagram/Threads/TikTok), also include:

• Which login path you used (Instagram vs Meta vs TikTok)
• A screenshot of the provider error screen (if any)
• Whether the account is Personal vs Business/Creator

Contact us here: /support.