Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aucor_core_security_disable_unfiltered_html -removes iframes (inside html -blocks) when in wide column container blocks #1

Closed
Jaska opened this issue May 29, 2019 · 5 comments

Comments

@Jaska
Copy link

commented May 29, 2019

So, I wanted to be able to put iframes in the pages and since WordPress's embed section was no use, I thought the best would be to simply use the HTML block.
Of course I had to enable that block since it's removed by default in Aucor Starter.

I wanted the iframe to be inside the column-block which worked until I clicked the "Wide" or "Full width" buttons of the columns.

After little testing, I found out that by commenting aucor_core_security_disable_unfiltered_html in class-security.php file, it let the editor save the html content when inside wide columns.

@TeemuSuoranta

This comment has been minimized.

Copy link
Member

commented Jun 30, 2019

Sorry for late reply. You can disable any feature or sub feature by filter. In this case add_filter('aucor_core_security_disable_unfiltered_html', '__return_false');

Here's the reason we disable unfiltered html:

  • Injecting javascript or iframes is one of the most common hacks in WordPress sites when the hacker is able to inject them in content in various ways. This brings a little protection.
  • Not all roles can (by default) write with unfiltered html. This means that admin can embed iframe and later editor go save the same page and that iframe is gone because the editor won't have the right to save unfiltered html. So by having iframe/javascript right in content you run the risk of losing content by lower level users.

If you need to embed iframes straight into content, I'll recommend:

  • Use plugin like Iframe that allows iframes through shortcode markup but still protects javascript
  • Disable this feature

We will keep this feature on by default as this improves the security a bit and protects against content loss.

@Jaska

This comment has been minimized.

Copy link
Author

commented Jul 25, 2019

Thanks for answering.

But do you see the problem that iframes can be added inside columns when not in wide of full mode?
If they would be disabled everywhere, then I'd see the point.

@TeemuSuoranta

This comment has been minimized.

Copy link
Member

commented Aug 4, 2019

Sorry to keep you waiting again. The unfiltered_html option should disable iframes everywhere as it is WordPress core functionality that we are just switching on with the filter. To my knowledge, WP scans the whole content via regex on the_content filter either or both when content is saved to DB and when it is displayed (the_content hook). If it lets through something it shouldn't, it might be bug in core.

@Jaska

This comment has been minimized.

Copy link
Author

commented Aug 4, 2019

Thanks!

@Jaska

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

@TeemuSuoranta the code:
add_filter('aucor_core_security_disable_unfiltered_html', '__return_false');

Doesn't disable the feature. I tried it with different priorities but no.
Are you sure it works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.