Skip to main content
Branding mascot

Welcome! How can we help you?

Got a Question? Ask our Community!

Have a question, or a tip or trick to share! Sign in with your Thryv credentials and post in our User Community!

Master Thryv Like a Pro!

Sign in and take our self-guided courses to maximize your experience and boost productivity!

You appear to be not logged in so your learning paths progress may not be saved.

Understand HTML Block Security Changes for Landing Pages and Popups

James Montgomery
  • Updated

Heads Up: Recent Security Update

The HTML block now automatically removes certain unsafe code patterns when you edit and save a landing page or popup. This is a security enhancement to protect your business and your customers. If you use custom HTML, some code may need to be adjusted. Review the sections below to see what is affected and what steps, if any, you need to take.


To keep your landing pages and popups protected from security threats like phishing redirects and malicious scripts, the HTML block automatically filters out unsafe code patterns when you edit and save a page.

If your landing pages or popups use custom HTML, this helps prevent unauthorized scripts from running while keeping standard HTML and JavaScript functionality intact.

Table of Contents

Why HTML Block Security Matters

The HTML block's built-in filtering is designed to protect:

  • Your business reputation
  • Your customer data
  • Visitors interacting with your landing pages and popups

By automatically filtering out code patterns associated with security exploits, Thryv helps ensure your pages stay trustworthy and professional without putting the burden on you to manage it manually.

How Security Filtering Works

Security filtering applies when you edit and save a landing page or popup. Pages that are already published are not affected until they are opened and saved again in the editor.

Once saved, any unsupported code patterns in the HTML block are automatically removed.

We recommend reviewing any landing pages or popups that use custom HTML so you're prepared to make adjustments the next time you edit them.

Code Patterns That Are Filtered Out

The HTML block filters out code patterns commonly associated with security vulnerabilities. If custom HTML stops working after saving, it's likely due to one of the patterns listed below.

Inline event handler attributes

  • onclick
  • onerror
  • onload
  • onmouseover
  • onchange
  • onsubmit
  • Any attribute that begins with on*

Unsafe URI protocols

  • javascript: in href or src attributes
  • vbscript: in any attribute
  • data: URIs in src attributes

Inline images using data:image/* are still supported.

Certain HTML Tags

  • <object> 
  • <applet> 
  • <base> 
  • <meta http-equiv="refresh">

Unsafe CSS patterns

  • expression() 
  • -moz-binding 
  • behavior

What Is Still Fully Supported

Script tags

<script> tags are fully supported, including:

  • Inline JavaScript
  • Externally hosted scripts such as Google Analytics or tracking pixels
  • Custom JavaScript logic

Embedded content

Embedded content continues to work using <iframe> and <embed>, including:

  • <iframe> 
  • <embed>

You can still embed:

  • YouTube, Vimeo, or Wistia videos
  • Third-party forms and external widgets

Common Use Cases and How to Adjust

Understanding how the HTML block's security filtering applies to your specific setup makes it easy to know whether any adjustments are needed. Most common configurations require little to no changes.

Tracking scripts (Google Analytics, Google Tag Manager, etc.)

  • No action is needed. These use <script> tags, which are not affected.

Embedded video (Wistia, YouTube, Vimeo, etc.)

  • No action is needed. These use <iframe> or <embed> tags and are not affected.

Progressive form behavior (showing or hiding fields based on user input)

  • If you are currently using inline event handlers such as onchange or onmouseover directly on HTML elements, move that logic into a <script> tag.

Referral campaigns and field manipulation

  • If you use JavaScript to clear pre-filled fields or populate custom values (such as “Referred By”), this will continue to work as long as the logic is inside <script> tags rather than inline event attributes.

URL redirects with parameters

  • If you use javascript: in href attributes to redirect visitors with URL parameters, move that logic into a <script> tag instead.

  • Standard links such as https://yoursite.com?param=value are not affected.

Getting Your Pages Ready

If you have landing pages or popups with custom HTML, a quick review before your next edit is all it takes to stay ahead of any adjustments.

Look for the following in your HTML blocks:

  • Inline event handlers such as onclick, onchange, or onload
  • javascript: links in href attributes
  • Custom scripts or dynamic behavior that may rely on unsupported patterns

In most cases, moving logic into a <script> tag is a straightforward fix that keeps everything working as intended.

Need Help?

If you have questions or need help updating or migrating your HTML code, please contact Support for assistance.

 

Related articles

Comments

0 comments

Can't find what you are looking for?

Our customer support team is available 24/7 by online chat, phone, or email

© 2026 Thryv, Inc. All rights reserved.