Server error whenever I add a youtube embed

[SeleDreams]

Hello, I am posting this issue because I've recently setup cofoundry and i'm liking it so far, however, I'm getting a server error whenever I embed a youtube video in a rich text component, I get a server error as well as a javascript error log

when I go to the admin panel to look at the logs i have no logs related to this so the error might be purely client side, I don't really know what could be the source of the issue

[SeleDreams]

sometimes this error doesn't appear however i still have an issue as the youtube embed doesn't appear, the generated html5 is just the <p> of the text i've placed before the youtube video and the youtube video just didn't appear even in the html

[SeleDreams]

that's how it looks

as a note I also installed all the youtube plugins but nothing appeared in the admin panel might be related

I am on .net 5.0
as a note, it also does the same on the default template project

i normally added a youtube video after "hey"

[HeyJoel]

Firstly, Cofoundry targets .NET Core 3.1. We will not be targeting .NET 5 because it isn't a LTS release.

I suspect though, it might because you are rendering the HTML using our HTML sanitizer which is removing the embed code. If you trust the HTML you can remove the sanitizer, or you can customize the sanitizer ruleset.

If that's not it, you'll need to post your code or a minimal reproducable example, specifically I'd need to at least see the custom entity model and the page block template.

[SeleDreams]

I actually don’t even have a custom entity or anything it’s a straight up clean install of cofoundry that reproduced when i tried the default project. I'm going to try disabling the sanitizer (if i find how to)

[SeleDreams]

I can't find how to disable it though
well if it's used to begin with, i'm using the default page editor I'd find it weird that the default editor would be sanitized as it's meant for site administrators

[HeyJoel]

So, there's two issues here:

1. The server error you get seems to be because when you're adding a block the region data isn't loaded. In the screenshot I can see the title of the modal is "Add Content Block to", where it should say "Add Content Block to ". I can't replicate this with the default template project, is it intermittent? More specific steps to replicate would be appreciated.
2. The embed block isn't rendering because the <iframe> is blocked by the default sanitizer ruleset, you can read how this works in the docs, but you can remove the sanitizer by replacing @Cofoundry.Sanitizer.Sanitize(Model.HtmlText) with @Html.Raw(Model.HtmlText) in your page block template. The caveat here is that your content is now open to XSS, but it's up to you whether you trust your content editors and the content they paste into the HTML editor.

In the samples we default to strict XSS prevention, because it does need to be taken into consideration, but I agree that it's not good to give you the option to embed a video when it won't actually render! We could disable the media button in the sample projects, or perhaps look at providing a range of sanitizer defaults for different situations to make it simpler or more discoverable e.g. "Strict", "Lax", "Balanced".

I see you also mentioned the YouTube plugin, note that this doesn't affect the HTML editor. The YouTube plugin contains data annotations that lets you have specific properties in your models for YouTube video data, which you can then render however you like. Have a look at the sample project in YouTube plugin repo for an example.

[SeleDreams]

So, there's two issues here:

1. The server error you get seems to be because when you're adding a block the region data isn't loaded. In the screenshot I can see the title of the modal is "Add Content Block to", where it should say "Add Content Block to ". I can't replicate this with the default template project, is it intermittent? More specific steps to replicate would be appreciated.

2. The embed block isn't rendering because the `<iframe>` is blocked by the default sanitizer ruleset, you can read how this works in [the docs](https://www.cofoundry.org/docs/framework/html-sanitizer), but you can remove the sanitizer by replacing `@Cofoundry.Sanitizer.Sanitize(Model.HtmlText)` with `@Html.Raw(Model.HtmlText)` in your page block template. The caveat here is that your content is now open to XSS, but it's up to you whether you trust your content editors and the content they paste into the HTML editor.

In the samples we default to strict XSS prevention, because it does need to be taken into consideration, but I agree that it's not good to give you the option to embed a video when it won't actually render! We could disable the media button in the sample projects, or perhaps look at providing a range of sanitizer defaults for different situations to make it simpler or more discoverable e.g. "Strict", "Lax", "Balanced".

I see you also mentioned the YouTube plugin, note that this doesn't affect the HTML editor. The YouTube plugin contains data annotations that lets you have specific properties in your models for YouTube video data, which you can then render however you like. Have a look at the sample project in YouTube plugin repo for an example.

I was able to fix it in the template project by using @Html.Raw, thanks !

I guess one thing that could be done might be to instead of making the default content editors use direct iframes, they could use bbcode that is then interpreted and converted to an iframe when the bbcode is valid