New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allows Iframe in discussions view #451
Comments
You are right. I need to dig very seriously the security implications of
this. Handling iframes from user submitted content is not something to be
taken lightly.
Do you have a use case for this?
Le mer. 11 oct. 2023, 23:05, eMerzh ***@***.***> a écrit :
… Hello,
it seems that the editor support iframes, but the backend will strip them
down ...
i understand that the issue is that we don't really want to have any
security issue, but i guess adding a few safe arguments should make the
soft pretty isolated from the included page... and if really it's a big
deal, maybe it can be an admin flipped toggle?
—
Reply to this email directly, view it on GitHub
<#451>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5NNBOUM4TZYOZXRT7LX64CZXANCNFSM6AAAAAA54TIYKM>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Yes i was trying to include a Umap map into a discussion, then google sheet doc... |
The server side HTML filter is more strict, indeed. I 'll have a look and
see what can be done
Le jeu. 12 oct. 2023, 07:28, eMerzh ***@***.***> a écrit :
… Yes i was trying to include a Umap <https://umap.openstreetmap.fr/> map
into a discussion, then google sheet doc...
Iframe are very common ton share those kind of info...
What is a bit strange, is that the editor lets you include them, display
them, then once you are in view they are simply stripped...
—
Reply to this email directly, view it on GitHub
<#451 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5KPAO6ZSVXSPDCSOVTX655WVANCNFSM6AAAAAA54TIYKM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Cool thanks... |
I'm a bit reluctant at allowing iframes in user submitted content. Bad feelings about that :=) |
hum, I see that iframe can be scary... Maybe an alternative is to get the src attribute as an URL then display it and manage the sandbox attribute ourselves. |
I guess I'm not up to date on iframe security :)
Parsing the content and rewriting a sandboxed iframe would be fine afaict.
Would you like to work on it? The relevant code is here :
https://github.com/agorakit/agorakit/blob/master/app/Helpers/Filters.php#L29
…On Mon, Oct 16, 2023 at 8:09 PM eMerzh ***@***.***> wrote:
hum, I see that iframe can be scary...
but i don't think the embera is a real solution to this.... like it has
only a handfull of sites (eventhough that list could grow , it doesn't
support a lot of open sites),
but you might have decentralized platforms that are almost by definition
an anti pattern for this 🤔
like, would you (them) add a resolver for every mastodon instance?
Maybe an alternative is to get the src attribute as an URL then display it
and manage the sandbox attribute ourselves.
maybe https://web.dev/articles/sandboxed-iframes?hl=fr can help you :)
—
Reply to this email directly, view it on GitHub
<#451 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5L247CEM4EZGRUAI3TX7VZ4TAVCNFSM6AAAAAA54TIYKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRVGAZDAMZUHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Hello,
it seems that the editor support iframes, but the backend will strip them down ...
i understand that the issue is that we don't really want to have any security issue, but i guess adding a few safe arguments should make the soft pretty isolated from the included page... and if really it's a big deal, maybe it can be an admin flipped toggle?
The text was updated successfully, but these errors were encountered: