Allows Iframe in discussions view #451
Comments
|
You are right. I need to dig very seriously the security implications of
this. Handling iframes from user submitted content is not something to be
taken lightly.
Do you have a use case for this?
Le mer. 11 oct. 2023, 23:05, eMerzh ***@***.***> a écrit :
… Hello,
it seems that the editor support iframes, but the backend will strip them
down ...
i understand that the issue is that we don't really want to have any
security issue, but i guess adding a few safe arguments should make the
soft pretty isolated from the included page... and if really it's a big
deal, maybe it can be an admin flipped toggle?
—
Reply to this email directly, view it on GitHub
<#451>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5NNBOUM4TZYOZXRT7LX64CZXANCNFSM6AAAAAA54TIYKM>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Yes i was trying to include a Umap map into a discussion, then google sheet doc... |
|
The server side HTML filter is more strict, indeed. I 'll have a look and
see what can be done
Le jeu. 12 oct. 2023, 07:28, eMerzh ***@***.***> a écrit :
… Yes i was trying to include a Umap <https://umap.openstreetmap.fr/> map
into a discussion, then google sheet doc...
Iframe are very common ton share those kind of info...
What is a bit strange, is that the editor lets you include them, display
them, then once you are in view they are simply stripped...
—
Reply to this email directly, view it on GitHub
<#451 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5KPAO6ZSVXSPDCSOVTX655WVANCNFSM6AAAAAA54TIYKM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Cool thanks... |
|
I'm a bit reluctant at allowing iframes in user submitted content. Bad feelings about that :=) |
|
hum, I see that iframe can be scary... Maybe an alternative is to get the src attribute as an URL then display it and manage the sandbox attribute ourselves. |
|
I guess I'm not up to date on iframe security :)
Parsing the content and rewriting a sandboxed iframe would be fine afaict.
Would you like to work on it? The relevant code is here :
https://github.com/agorakit/agorakit/blob/master/app/Helpers/Filters.php#L29
…On Mon, Oct 16, 2023 at 8:09 PM eMerzh ***@***.***> wrote:
hum, I see that iframe can be scary...
but i don't think the embera is a real solution to this.... like it has
only a handfull of sites (eventhough that list could grow , it doesn't
support a lot of open sites),
but you might have decentralized platforms that are almost by definition
an anti pattern for this 🤔
like, would you (them) add a resolver for every mastodon instance?
Maybe an alternative is to get the src attribute as an URL then display it
and manage the sandbox attribute ourselves.
maybe https://web.dev/articles/sandboxed-iframes?hl=fr can help you :)
—
Reply to this email directly, view it on GitHub
<#451 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJEZ5L247CEM4EZGRUAI3TX7VZ4TAVCNFSM6AAAAAA54TIYKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRVGAZDAMZUHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Hello,
it seems that the editor support iframes, but the backend will strip them down ...
i understand that the issue is that we don't really want to have any security issue, but i guess adding a few safe arguments should make the soft pretty isolated from the included page... and if really it's a big deal, maybe it can be an admin flipped toggle?
The text was updated successfully, but these errors were encountered: