Chapter 13: Rich & Interactive Content

The crucial design insight shared across all four: the interactive thing is a data node, not markup. The editor manipulates structured data ("a Chart block with dataset=Q3-sales and type=bar"); the front end maps that node to a component at render time. This decoupling is what makes embeds portable, themeable, accessible, and — most importantly — sanitizable.

Block-based interactivity: Gutenberg and the Interactivity API

WordPress's block editor (Gutenberg) is the highest-volume example of editor-placed interactivity, and its 2024–2026 evolution is instructive. Two block flavours coexist:

• Static blocks save their HTML into post content at edit time.
• Dynamic blocks store only attributes and render via a PHP render_callback on each request — required for query loops, frequently-changing data, and any block that uses the Interactivity API (per the WordPress Block Editor Handbook).

The Interactivity API, introduced in WordPress 6.5 and standardized in 6.6, is the substantive 2025–2026 story. It gives block authors a declarative, directive-based way to add front-end behaviour (counters, popups, instant search, carts, client-side navigation) without hand-rolling a JS bundle per block. Critically, the runtime only hydrates interactive elements and uses DOM diffing and batched updates, keeping static content static — the same selective-hydration philosophy that islands frameworks pioneered, now baked into the world's most-used CMS. The 2025 Block Bindings API complements this by wiring block attributes to dynamic sources (custom fields, post meta, external APIs), so an editor-placed block can show live data without bespoke code. WordPress's experimental Telex (announced at WordCamp US 2025) pushes further: describe a block in natural language and get a generated, downloadable plugin — an explicit on-ramp from AI prompt to placeable interactive block.

Headless visual builders generalize the same pattern. Storyblok's core abstraction is the block — a reusable component with a defined schema; developers define blocks, editors assemble pages visually in the Visual Editor, with clicking a block scrolling to its rendered element and live two-way preview. For genuinely interactive embeds, Storyblok documents an "embedded blocks" pattern that integrates external interactive experiences (e.g., via StackBlitz) into a component. Builder.io and Webflow follow the register-component-then-drag model, where the developer exposes a React/Vue component (with typed inputs) into the visual editor's insert menu.

Portable Text: custom objects as first-class content

Sanity's Portable Text treats rich text as a JSON array rather than HTML, which makes custom interactivity unusually clean. To add, say, a YouTube embed or an interactive chart, a developer:

1. Defines the embed as an object type in the schema (e.g., a youtube type with a url field, or a chartBlock with dataset references).
2. Adds that type to the of array of the Portable Text field, so it appears in the editor's insert menu.
3. Optionally supplies a custom preview component inside Sanity Studio so editors see a live render, not a placeholder.
4. On the front end, passes a serializer/components map to @portabletext/react (the successor to the deprecated @sanity/block-content-to-react), mapping each custom type to a React component.

Because the content is data, the same Portable Text array can be rendered to React, Vue, native mobile, or even read aloud — and an embed that the front end doesn't recognize simply falls through to a default renderer instead of injecting raw HTML. This is the model's security and portability payoff: there is no arbitrary HTML to sanitize because there is no arbitrary HTML, only typed nodes.

Rich text with embedded entries: Contentful and Hygraph

Contentful and Hygraph occupy a middle ground: a structured rich-text JSON document that can reference other content entries inline. Contentful's Rich Text field supports three ways to bring in another content type — embedded block entry, embedded inline entry, and linked (hyperlink) entry — and the front end renders each via a node-type-to-component map (Contentful's @contentful/rich-text-react-renderer). Hygraph similarly distinguishes block embeds (returned as a <div>), inline embeds (a <span> with data-gcms-embed-inline), and link embeds (an <a> with data-gcms-embed-id/data-gcms-embed-type), per Hygraph's docs. The practical effect for editors is identical to Portable Text: insert a reference to a "Product Callout" or "Interactive Map" entry, and the developer's renderer decides how that becomes interactive. The advantage over MDX is that the embedded thing is itself a reusable, separately-editable, separately-localizable content entry.

MDX: components in the document

MDX (Markdown + JSX) is the developer-favoured model and the one most aligned with the AI-native, Git-backed wing of the CMS landscape. Authors write Markdown and drop in <Chart/>, <Tabs/>, <Callout/>, <Mermaid/>, or <PricingCalculator/> components inline. The benefits cited across MDX tooling (MDX project, TinaCMS, content-collections): type-safety with build-time errors, Git workflow and review, full React capability, zero-latency static rendering, and no SaaS fee.

The historical weakness of MDX — that raw JSX is hostile to non-technical editors and dangerous if untrusted users can author it — is being addressed from two directions:

• Visual MDX editing. TinaCMS bills itself as having shipped the first UI editor for MDX, letting content teams insert registered components ("Embed" button) with one click rather than typing JSX. The component's props become form fields. This keeps MDX's developer ergonomics while giving editors a WYSIWYG surface.
• Constrained component registries. In production MDX setups, the components map passed to the MDX provider is an allow-list. A component the author references that isn't registered simply doesn't render — there is no path to execute arbitrary code that the developer didn't explicitly expose. MDX from untrusted sources, however, must never be evaluated directly; it is full JavaScript and should be treated like running submitted code.

Islands architecture and selective hydration: making interactivity cheap

The cost of rich content is JavaScript. The dominant 2026 answer is islands architecture (Astro's term, but the pattern is now everywhere): render the page to fast static HTML, then add small "islands" of JS only where interactivity or personalization is needed. Astro documents two flavours:

• Client islands — interactive UI hydrated on the client, independently from the rest of the page.
• Server islands — components that server-render their dynamic content separately (stable since Astro 5, alongside the Content Layer), useful for personalized or frequently-changing fragments embedded in an otherwise cacheable page.

Astro's five client:* directives let an editor's embed declare when it costs anything:

Astro's own framing — a typical docs site ships 80%+ less JavaScript than the Next.js/Nuxt equivalent — captures why this matters for content sites stuffed with embeds: ten interactive components no longer means ten eagerly-hydrated bundles. client:visible on data-viz embeds is the single highest-leverage performance lever for article-heavy CMSs. The same idea now appears as Gutenberg's Interactivity API (hydrate only interactive elements), React Server Components + selective 'use client' boundaries in Next.js, Qwik's resumability (skip hydration almost entirely), and Deno/Fresh islands. For a CMS, the practical guidance is: map each editor-placeable interactive block to a lazy/visible hydration boundary by default, and let only the rare above-the-fold widget opt into eager loading.

Component registries and the AI-agent supply chain

Where do these placeable components come from? The 2025 inflection point was shadcn/ui's CLI 3.0 and registry MCP server (shadcn/ui changelog, August 2025). Rather than installing components from npm as opaque packages, the shadcn model distributes components as source you own, fetched from a registry declared in components.json. CLI 3.0 added namespaced registries (@registry/name syntax), private/authenticated registries (bearer token, API key, custom headers), and cross-registry dependency resolution.

The MCP angle is what makes this AI-native: the registry MCP server lets an AI assistant browse, search, and install registry components by natural language ("add a login form from the shadcn registry," "build a landing page using components from the acme registry"). shadcn's pitch — that this "cuts out the cycle of AI-generated code that looks right but fails at runtime" — is precisely the failure mode AI coding agents hit: hallucinated props and imports. A typed registry plus MCP gives the agent a real, installable, version-pinned catalog. For a CMS team, this points at a future where the set of interactive blocks an editor can place is itself an MCP-addressable registry that both humans and agents draw from, with the same allow-list discipline applied to AI-suggested embeds as to human-authored ones.

Data visualization and calculators

For charts, two patterns dominate, and CMSs usually support both:

1. Embed-by-iframe from a viz tool. Newsroom-grade tools — Datawrapper and Flourish — produce responsive embed code (an iframe or a <script>) that pastes anywhere HTML is accepted. Datawrapper originated as a journalist charting tool and emphasizes fine-grained, automatically-responsive charts; Flourish leans into animated, creative chart types and has built-in scrollytelling. Both auto-resize across devices. The CMS treats the embed as an "external embed" block (see oEmbed below). Upside: editors are fully self-serve and the viz is sandboxed in an iframe. Downside: an extra network round-trip and a hard boundary the page can't style.
2. Native chart component. A registered <Chart/> block (often wrapping D3, Chart.js, Recharts, or Observable Plot) whose data comes from a CMS field, an external API via Block Bindings, or a referenced dataset entry. Upside: themed, accessible, SSR-able, no third-party iframe. Downside: developer must build and maintain it. Calculators (mortgage, pricing, ROI, dosage) are almost always this native-component path because their logic is bespoke; the editor places the calculator block and configures parameters (rates, labels, default values) as typed fields.

Scrollytelling: narrative as a content type

Scroll-driven storytelling — the NYT/Pudding/National Geographic genre where graphics transform as the reader scrolls — is the most demanding rich-content form. The de-facto open-source engine is Scrollama (current 3.x), a lightweight library built on IntersectionObserver with React and Vue integrations, typically paired with D3 for the graphics. Lower-code routes have proliferated: Flourish's paid scrollytelling, and Closeread, a Quarto extension for scroll-based narratives. In a CMS, scrollytelling is best modeled as a structured sequence: a parent "Scrolly" block containing an ordered list of "step" sub-blocks (each with prose + a state to apply to a sticky graphic). This keeps the narrative editable, reorderable, and translatable rather than locked in hand-written markup — the same structured-content discipline applied to the hardest case. Maglr's 2026 roundup and the EU data-visualisation guide both stress accessibility and reduced-motion fallbacks, which a structured model makes enforceable (a no-scroll linear fallback rendered from the same step data).

Sandboxing and sanitization: the security backbone

Rich, embeddable content is a classic XSS surface, and 2025 produced a textbook case: Silverstripe CMS's January 2025 patches addressed an oEmbed flaw where unsanitized HTML returned by an oEmbed provider could execute XSS on both the CMS and the front end. The fix — and the prevailing best practice — is iframe sandboxing: wrap untrusted embed HTML in an <iframe> (ideally srcdoc, served from a different origin) with a restrictive sandbox attribute, with an allow-list of trusted domains that may bypass sandboxing.

The defensive toolkit for editor-placeable embeds:

The strategic takeaway: the structured-node CMSs (Sanity Portable Text, the block model, embedded entries) have a built-in security edge because editors place typed objects, not HTML, so there's nothing to inject. The risk concentrates in (a) oEmbed/raw-HTML embed blocks, which must be iframe-sandboxed from a separate origin, and (b) any path where untrusted users author MDX or HTML, which must be sanitized (DOMPurify) or — for MDX — never evaluated at all. WordPress's own performance/security discussions (e.g., wrapping embeds in srcdoc iframes) reflect the same convergence.

AI-native implications

Two threads from elsewhere in this report intersect here. First, llms.txt and AI crawlers: interactive embeds rendered only client-side (an iframe widget, a client:only island) are invisible to LLM crawlers and to the increasing share of readers arriving via AI summaries. Best practice is graceful degradation — a server-rendered fallback (the chart's underlying table, the calculator's explanatory prose) that survives JS-off and bot consumption. Second, agentic authoring: as AI assistants gain MCP access to component registries (shadcn pattern) and to the CMS itself, the allow-list of placeable interactive blocks becomes the governance boundary. An agent that can place embeds should be constrained to the same typed, sandboxed registry a human editor uses — the agent is a new "editor" subject to the same component allow-list and embed sanitization, not an exception to it.

Key Takeaways

• Across every content model — Gutenberg blocks, Sanity Portable Text, Contentful/Hygraph embedded entries, and MDX — interactivity is placed as a typed data node, not raw markup; the front end maps nodes to components at render time. This decoupling is the source of portability, theming, accessibility, and security.
• WordPress's Interactivity API (stable since 6.6) brought selective hydration to the highest-volume CMS: only interactive elements hydrate, static content stays static, mirroring islands architecture.
• Islands + selective hydration is the answer to embed cost. Astro's client:visible (lazy-hydrate data-viz when scrolled into view) is the single highest-leverage performance lever for article-heavy sites; map each placeable block to a lazy hydration boundary by default.
• Server islands (Astro 5) let personalized/dynamic fragments render separately inside an otherwise cacheable page.
• shadcn CLI 3.0 + registry MCP (Aug 2025) reframed components as owned source from namespaced, authenticatable registries that AI agents can browse and install by natural language — pointing at MCP-addressable block registries shared by humans and agents.
• Data viz splits into iframe-embed tools (Datawrapper for precise responsive charts, Flourish for animated/scrolly) versus native chart/calculator components fed by CMS fields or Block Bindings; calculators are almost always native components.
• Scrollytelling (Scrollama 3.x + D3; Flourish; Closeread) is best modeled as a structured step sequence, not hand-written markup, so it stays editable and can carry a reduced-motion/linear fallback.
• Security centers on iframe sandboxing of untrusted embeds from a separate origin (the Silverstripe Jan-2025 oEmbed XSS is the cautionary tale), DOMPurify for any raw HTML, CSP and oEmbed allow-lists, and never evaluating untrusted MDX. Typed-node models have a structural advantage because there's no arbitrary HTML to inject.
• For AI-native sites, provide server-rendered fallbacks for client-only embeds (so LLM crawlers and JS-off readers get the content), and treat AI authoring agents as editors bound by the same component allow-list and embed sanitization.

Key References

• WordPress Developer. About the Interactivity API — Block Editor Handbook. 2025. https://developer.wordpress.org/block-editor/reference-guides/interactivity-api/iapi-about/ — Official spec of the directive-based interactivity layer (stable 6.6), selective hydration of only interactive elements.
• WordPress Developer. Creating dynamic blocks — Block Editor Handbook. 2025. https://developer.wordpress.org/block-editor/how-to-guides/block-tutorial/creating-dynamic-blocks/ — Static vs. dynamic blocks and when render_callback/Interactivity API are required.
• Astro Docs. Islands architecture. 2025. https://docs.astro.build/en/concepts/islands/ — Client vs. server islands, partial hydration, the client:* directives, and the 80%-less-JS claim.
• Sanity Docs. Adding things to Portable Text — From block content schema to React component. 2025. https://www.sanity.io/docs/developer-guides/ultimate-guide-for-customising-portable-text-from-schema-to-react-component — Defining custom objects, the of array, and @portabletext/react serializers.
• Sanity Docs. How to add a custom YouTube embed block to Portable Text. 2025. https://www.sanity.io/docs/developer-guides/portable-text-how-to-add-a-custom-youtube-embed-block — Concrete embed-as-typed-object example with Studio preview.
• shadcn/ui. August 2025 — shadcn CLI 3.0 and MCP Server. 2025. https://ui.shadcn.com/docs/changelog/2025-08-cli-3-mcp — Namespaced registries, private/authenticated registries, and the registry MCP server for AI-agent component install.
• shadcn/ui. MCP Server (docs). 2025. https://ui.shadcn.com/docs/mcp — How AI assistants browse/search/install registry components by natural language.
• TinaCMS. Using Markdown & MDX with TinaCMS. 2025. https://tina.io/mdx-cms — Visual UI editor for MDX; one-click component embeds with props as form fields.
• MDX. Markdown for the component era. 2025. https://mdxjs.com/ — Canonical description of MDX and the components allow-list provider model.
• Silverstripe CMS. Silverstripe CMS security patches January 2025. 2025. https://www.silverstripe.org/blog/silverstripe-cms-security-patches-january-2025 — oEmbed unsanitized-HTML XSS and the iframe-sandbox-with-domain-allow-list fix.
• Jscrambler. Steps Involved in Improving Iframe Security. 2025. https://jscrambler.com/blog/improving-iframe-security — sandbox attribute as the critical iframe control; isolation best practices.
• Hygraph. Working with Rich Text Embeds. 2025. https://hygraph.com/blog/rich-text-embeds — Block vs. inline vs. link embeds and their serialized output (data-gcms-embed-*).
• Contentful. Rendering linked assets and entries in the Rich Text field. 2025. https://www.contentful.com/blog/rendering-linked-assets-entries-in-contentful/ — Embedded block / inline / linked entries and node-to-component rendering.
• russellsamora. scrollama (GitHub). 2025. https://github.com/russellsamora/scrollama — IntersectionObserver-based scrollytelling engine (3.x) with React/Vue integrations.
• Flourish. Effortless data visualization. 2025. https://flourish.studio/ — Responsive embed code, animated charts, and built-in scrollytelling for newsrooms.
• Storyblok Docs. Blocks and Visual Editor. 2025. https://www.storyblok.com/docs/concepts/blocks — Developer-defined blocks, editor-assembled pages, two-way live preview, and embedded interactive blocks.