How do I block custom templates that let Matomo admins run JavaScript on the website like “Custom HTML” or “Custom JS Function”?
Disabling “Custom Templates” can improve the security on your website. When you configure a trigger, tag, or a variable, some of them may allow a Matomo user to enter HTML or JavaScript which will be executed on your website. Entering custom code cannot only break the container in case there is an error, but also allows them to execute any JavaScript code on your website. This can be misused to steal for example sensitive information on your website. If you do not want to allow your team members to enter any JS code, you can disable these templates by going to “Administration => General Settings”. There you can disable them in one click under the “Tag Manager” category.