Now there is official information from Salesforce about this. They will kill this workaround with the Spring '16 Release, which is currently trageted for February 2016.
ATTENTION: Messages & Alerts and Custom Link Components Changes
At Salesforce, trust is our #1 value and our priority is to provide
customers with the industry’s highest levels of security,
availability, and performance. With that in mind, we want to notify
you of an important change regarding certain home page components that
your organization has used.
What is changing?
The Salesforce Technology team is updating code
within the standard Messages & Alerts and Custom Links home page
components, including JavaScript and custom HTML markup to comply with
our evolving security architecture best practices. These changes will
enhance the security of your organization.
How will this affect my organization?
With the Spring ‘16 release*,
Salesforce will no longer support code in Messages & Alerts or Custom
Links that is not whitelisted. Any unsupported content will be removed
prior to rendering the page. This may affect your organization, and we
strongly encourage you to plan accordingly to remove any unsupported
content in advance.
*Currently targeted for February 2016; date subject to change
What do you recommend?
If you wish to continue using these features,
we encourage you to migrate to Visualforce Area home page components,
which offer more flexibility and security. These point to a
Visualforce page, rendered in an iframe in the home page layout.
Alternatively, you can remove or update code that does not pass the
markup whitelist.
Note: JavaScript in the Visualforce Area home page component will not
be able to interact with standard pages that contain the component.
How can I get more information?
Please see the Message & Alerts and
Custom Links Home Page Components changes article for more details.
For additional questions, please reach out to Customer Support by
opening a case via the Help & Training portal.
What is changing and when is the change?
With the Spring ‘16 release*, changes will be made to better align standard Messages & Alerts and Custom Links home page components
markup to comply with our evolving security architecture best
practices and we will end support for non-whitelisted content.
These changes will provide more flexibility in your components and enhance the security of your organization.
At runtime, standard Messages & Alerts and Custom Links home page components with non-whitelisted markup will no longer be rendered in
the page.
*Currently targeted for February 2016; date subject to change
- What action do I need to take?
If you wish to continue using these features, we encourage you to migrate to Visualforce Area home page components, which offer more
flexibility and security. You can either move the HTML markup to a
Visualforce Area component or remove code that does not pass the
markup whitelist.
- What are Visualforce Area home page components?
Visualforce Area home page components have been available since the Summer ‘14 release. These point to a Visualforce page rendered in
an iframe in the home page layout. The iframe takes the full width of
the column (narrow or wide) but users specify the height.
Some information about the containing page is passed into the Visualforce page: see #5, How do Visualforce home page components
work?
- How will I know if there is JavaScript in standard Messages & Alerts and Custom Links home page components?
If you have customized the standard Messages & Alerts or Custom Links home page components with HTML code, you will need to manually
review the inserted code to look for the presence of Javascript with a
tag or other methods, such as onclick(). To manually review
the inserted code, follow these steps:
1) From Setup, click Customize > Home > Home Page Components. Click
Edit next to either Messages & Alerts or Custom Links; both components
need review and are in the Standard Components related list.
Example of Home Page Components page:
2) Review the text for HTML code. If the text is plain text, there is
no action necessary.
3) If HTML code is present in the text, use the browser search
capabilities to search the text block for offending content with a
<script>
or other methods, such as onclick(). If you find any
offending content, either you will need to remove it or replace the
entire component with a Visualforce component.
Example of Message & Alerts page with offending content:
Example of Custom Links page:
b. An example of acceptable content in the Bookmark fields in standard
Custom Links components is as follows:
Bookmark = Salesforce Success Community
URL = https://success.salesforce.com/
If you have manually entered offending content in the Bookmark
fields in standard Custom Links components Javascript with a
tag or other methods, such as onclick(), either you will need to
remove it or replace the entire component with a Visualforce
component.
How do Visualforce home page components work?
Visualforce home page components allow you to specify a Visualforce
page to show on either the home page or in the sidebar on other pages.
Visualforce home page components:
Can be added to the narrow or wide column of the home page layout.
Can use a standard or custom controller.
Are rendered in an iframe in the home page layout. The iframe takes the full width of the column (narrow or wide); you specify the
height at design time.
Sometimes receive information as query string parameters, allowing the Visualforce page to display information specific to the top-level
page:
The path of the top-level page
The ID of the record, if the Visualforce home page component is in the narrow column and included in all pages
May contain JavaScript, but the JavaScript will not be able to interact with the page containing the iframe as Visualforce pages are
served on a different domain.
- Based on the record/tab I'm viewing, can I use a Visualforce home page component to render different information in the sidebar?
Yes, as long as the rendered content is contained within the iframe in
the sidebar. For example, if you have a list of links that change
depending on whether you're viewing an account or an opportunity, then
you can use a Visualforce home page component.
- Can I use a Visualforce home page component that shows up in the sidebar for some pages, but not others?
No, you can choose to have sidebar components display only on the home
page or display on all pages in the User Interface settings. But if
the component displays on all pages, then it displays on all pages --
for example, there's no way to display it only on record detail pages.
- Can I use JavaScript in a Visualforce home page component?
Yes, Visualforce pages used in home page components have no additional
restrictions compared to Visualforce pages used in tabs (see Using
JavaScript in Visualforce Pages in Help & Training). However, the
JavaScript cannot interact with elements outside the iframe.
- On a record detail page, can I use JavaScript in a Visualforce home page component to hide or show content?
No, Visualforce pages are served on a different domain and are
rendered in an iframe. They cannot interact with pages served in the
Salesforce domain.
- If I’d like to change the style of headings or other elements in a record detail page, can I use JavaScript in a Visualforce home page
component?
No, Visualforce pages are served on a different domain and are
rendered in an iframe. They cannot interact with pages served in the
Salesforce domain.
- What happens if my standard Messages & Alerts and Custom Links home page components used an iframe to point to a page that's not a
Visualforce page?
These components will not allow iframes as part of the whitelisted
markup. You can create a Visualforce home page component and redirect
to another page from within the Visualforce page.
- I have customized Salesforce to leverage JavaScript in standard Messages & Alerts and Custom Links home page components, and this
change is going to eliminate a lot of my customizations. How can I
avoid eliminating my customizations?
We realize that this change may cause inconvenience for you, yet you
will not be able to avoid the customizations from being eliminated.
This notice should provide time to replace standard Messages & Alerts
and Custom Links home page components with Visualforce home page
components. Salesforce does not recommend or support the use of
JavaScript in home page components (and never has) -- particularly if
the JavaScript is used to interact with markup served by Salesforce,
because we can't guarantee that our page markup will remain the same
between releases.
Best Answer
ALERT UPDATE (Spring'16)
These workarounds were never supported by Salesforce officially. They have worked for many years but now the are no longer possible with the Spring'16 Update. It was announced by Salesforce in 2015 that even the workarounds described in the section below for Winter'16 are shut down with the Spring'16 Release, in February 2016. I verified it on different pods and can confirm it's over. Here are the details:
End of Sidebar workarounds via Messages & Alerts and Custom Links finally in Winter or Spring '16? It's pretty clear and it looks like we have an end-date now.
The new Lightning Experience UI is still evolving. The Lightning Experience UI will probably make a lot of use cases for these workaround obsolete. At this time (2015-10) the new UI is not really feature complete. With the Spring '16 Release it's likely that many features required by typical customers might be there. However in my opinion it won't be possible to migrate all Orgs in 2016-02 on the Lightning Experience UI.
Unfortunately most (or all) of the limitations of the Aloha UI we found reasonable for considering those workarounds are still present.
So the decision to shut down the workarounds at this time can create some extra effort only for an intermediate time until most Orgs can migrate completely to Lightning Experience. It would have been nice, if Salesforce could allow us a little bit more "grace time" for those Orgs, e.g. in form of an critical update or in form of switching that "security improvement" off for one or two releases...
MODIFICATION UPDATE (Winter'16)
Here you can find a way which worked until Spring'16: Requirescript change in Winter '16 release
ORIGINAL POST (Summer'14 to Summer'15 )
At least up to Summer'15 there is a solution without HTML-Areas.
What does NOT work anymore:
New HTML-Areas are useless in Summer'14! Careful with existing HTML-Areas: you save it, you loose it in Summer'14. They get crippled!
It does not work in Winter'16 anymore! It had worked in Summer'14, Winter'15, Spring'15 and Summer'15. For Winter'16 you need this instead and with Spring'16 it looks like an end...
This pattern works in a slightly modified version also for communities: Are sidebar Javascript workarounds also possible for partner portals / communities?
And finally it seems to be even officially supported, look at this: http://help.salesforce.com/HTViewHelpDoc?id=customize_functions_i_z.htm#REQUIRESCRIPT
Here you'll find a knowledge article about what is changing for HTML-Areas and a bit on "why" they do it: https://help.salesforce.com/apex/HTViewSolution?urlname=Home-Page-Components-Changes-Starting-Summer-14&language=en_US
Here you can find and contribute use-cases and possible alternatives for this pattern: Why do we still need to hack the Sidebar? Usecases - Workarounds - Alternatives
Hey guys let's join forces and somehow reach out together to Salesforce and explain to them as a group how important it is to keep the UI open.
Uwe