Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TinyMce Editor iframe and general #43407

Open
niosme opened this issue Apr 30, 2024 · 10 comments
Open

TinyMce Editor iframe and general #43407

niosme opened this issue Apr 30, 2024 · 10 comments
Labels
No Code Attached Yet

Comments

@niosme
Copy link

niosme commented Apr 30, 2024
edited

Steps to reproduce the issue

Put this into text editor code

<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m12!1m3!1d24578.379315757487!2d22.4165888!3d39.64302065!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sel!2sgr!4v1714479981262!5m2!1sel!2sgr" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade"></iframe>

Expected result

Show map iframe

Actual result

Puts sandbox="" and prevents to load the iframe and becomes

<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m12!1m3!1d24578.379315757487!2d22.4165888!3d39.64302065!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sel!2sgr!4v1714479981262!5m2!1sel!2sgr" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade" sandbox=""></iframe>

Also in sandbox we cannot add values or edit it so allow something to work. Always remains empty so restricts everything.
I cannot figure out how to change it and allow iframes work somehow.

System information (as much as possible)

Joomla 5.0.1
Php 8.2

Additional comments

i setted it as use joomla filters and joomla filters setted to none. Shouldn't this be initialized somehow so no changes happened to any value?
Tiny mce at final keeps editing text and doennt allow even a custom structure or something like that:


<a>
   <img/>
  <div>
     <div></div>
     <div></div>
  </div>
</a>
@brianteeman
Copy link
Contributor

This is intended behaviour and implements the security hardening in tniymce

https://youtu.be/OGZ06TCdJHc?si=Z0sSHlVaV-OP0wRi&t=64

@niosme
Copy link
Author

niosme commented May 1, 2024

Followed your video and It does the same behaviour... Puts the sandbox inside!

@brianteeman
Copy link
Contributor

yes it is supposed to put the sandbox there. As I said this is a security change from tinymce https://www.tiny.cloud/docs/tinymce/latest/7.0-release-notes/#security-fixes

@niosme
Copy link
Author

niosme commented May 1, 2024
edited

So we cannot put an iframe like google maps from now on? I now its a security fix but

What this documentation/update changes says is this:
..
From TinyMCE 7.0.0 onwards the default value of this option is true.
...
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox="" attribute applied when the sandbox_iframes option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe elements from every domain, set this option to [].

also this exists..

Without those every map on site with iframe will not be displayed because it will become sandboxed. Something that so many years was working. Maybe in the plugin we should have an option to enable or disable this option and put convert_unsafe_embeds and sandbox_iframes_exclusions value if needed.


tinymce.init({
  selector: 'textarea',  // change this value according to your html
  sandbox_iframes: false
});

@zeroalphagit
Copy link

This is intended behaviour and implements the security hardening in tniymce

https://youtu.be/OGZ06TCdJHc?si=Z0sSHlVaV-OP0wRi&t=64

This doesn't work for me either. Joomla 5.1.0

I understand this is done for security but I can't find any solution to allow me to embed youtube videos with iframe which makes this a complete annoying bug

@macstalker
Copy link

Workaround:

Install TinyMCE Configuration Modifier plugin https://github.com/nikosdion/plg_system_tinymod
Then add:
{
"sandbox_iframes": false
}

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43407.

@hostingby
Copy link

hostingby commented May 29, 2024
edited

Bug tinymce editor Joomla 5.1.0 and 5.1.1, TinyMCE editor rewrites code iframe by adding sandbox="".
When you want to share a YouTube movie and place it in an iframe, tinymce rewrites the code and adds sandbox="" which causes the video to no longer work, giving an error.

<iframe title="YouTube video player" src=["https://www.youtube.com/embed/gRQxbEtZhu8?si=LSUPjzjCM4Pprtvs"](https://www.youtube.com/embed/gRQxbEtZhu8?si=LSUPjzjCM4Pprtvs) width="560" height="315" frameborder="0" sandbox="" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="allowfullscreen"></iframe>

Workaround: Replace the tinymce editor files from Joomla 5.1.
Upload folder tinymce from joomla 5.0.3 to folder: plugins/editors/tinymce. Problem solved.
Do you have a non-working video in iframe? Edit iframe in source file, remove sandbox="", save, problem solved.

Don't have the files version 5.0.3?
I have the 5.0.3 files in tinymce.zip on www.joomla-5.nl
Use the tinymce.zip in administrator, under system, install Extensions, browse and install the zip file (this replaces the tinymce folder).

@woluweb
Copy link

woluweb commented May 30, 2024
edited

Workaround:

Install TinyMCE Configuration Modifier plugin https://github.com/nikosdion/plg_system_tinymod Then add: { "sandbox_iframes": false }

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43407.

Txs for the suggestion @macstalker !
I do confirm: with this tinymod plugin you can "tweak" TinyMCE's default configuration.
But in my case, instead of disabling sandbox altogether (it was introduced for security reasons) with
{ "sandbox_iframes": false }
I have given a try to the following configuration suggested on Mattermost by @RickR2H and I do confirm that it does work (even if we don't mention "PDF" nor "/images" nor the domain name of the concerned website)

{
    "selector": "textarea",
    "sandbox_iframes": "true",
    "sandbox_iframes_exclusions": [
        "youtube.com",
        "youtu.be",
        "vimeo.com",
        "player.vimeo.com",
        "dailymotion.com",
        "embed.music.apple.com",
        "open.spotify.com",
        "giphy.com",
        "dai.ly",
        "codepen.io"
    ]
}

@brianteeman
Copy link
Contributor

it could well be that I misunderstood the advice from tinymce and applied the security fix incorrectly

@woluweb
Copy link

woluweb commented May 30, 2024
edited

it could well be that I misunderstood the advice from tinymce and applied the security fix incorrectly

I am happy that we have a workaround for this, but it is indeed weird that

  • on the one hand Joomla allows to embed a PDF via the official Joomla Media Manager
  • but at the same time that Joomla would block an embedded PDF when using the official Joomla Wysiwyg Editor
    :)

So I guess that

  • we should at least allow embedding PDFs stored locally on the website
  • and also maybe offer a way to configure those exclusions (the default list is nice for a start, but of course each website has its own needs)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
No Code Attached Yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@brianteeman @woluweb @joomla-cms-bot @macstalker @hostingby @zeroalphagit @niosme