Comments (8)
@buro9 any thoughts?
from bluemonday.
As per comment in the PR... yeah, that would be the thing to change. But I am curious as to what use an iframe is that has no attributes?
from bluemonday.
@buro9 What's the rationale for preventing something like the following, this is an example of an iframe
copy/pasted directly from youtube:
in := `<iframe width="560" height="315" src="https://www.youtube.com/embed/BIvezCVcsYs" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>`
p := bluemonday.UGCPolicy()
p.AllowElements("iframe")
out := p.Sanitize(in)
fmt.Printf("out: %q\n", out)
// out: ""
from bluemonday.
@mfridman it is a whitelist:
p.AllowElements("iframe")
p.AllowAttrs("width").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("height").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("src").OnElements("iframe")
p.AllowAttrs("frameborder").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("allow").Matching(regexp.MustCompile(`[a-z; -]*`)).OnElements("iframe")
p.AllowAttrs("allowfullscreen").OnElements("iframe")
from bluemonday.
@buro9 Ah thanks, it's whitelist all the way down. Which, upon reflection, is the entire point. Not sure why I thought it'd be possible to "blanket" an entire element.
Tricky part with iframes is different providers might have different attributes, but that's okay. The attributes grow organically over time.
Thanks!
from bluemonday.
I do not trust IFRAMEs and do not trust 3rd party content by allowing them through my bluemonday policies.
Instead I have a list of trusted third parties https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L229-L240 and when I see links of a particular format that matches those (i.e. a YouTube video) then I will replace the link with a version of the embed HTML that I control https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L303-L344 . This happens as the final step in my content processing, and because I control the embed HTML I trust that, and it does require me to also trust the third parties.
This means that on the forums I run a person can just paste in the YouTube URI and it gets auto-embedded without risking letting any 3rd party content through, for example https://www.lfgss.com/conversations/136127/?offset=2525#comment14682852 and I keep the original URI above the embed so that if the third party fails then the link will always work.
The other advantage of this approach is that it means that you could update the content-security-policy to match that list of third parties to de-risk your site further (from untrusted third parties).
from bluemonday.
@buro9 That's really useful information, thanks for sharing that!
from bluemonday.
Closing as answered
from bluemonday.
Related Issues (20)
- Translates string characters to html code HOT 2
- How to disallow emoji? HOT 1
- Go ParseThru vulnerability HOT 2
- Test case not sanitising HOT 1
- Paragraph sanitization (e.g. img.alt) is too restrictive, disallows punctuation
- Sanitize only what is disallowed HOT 1
- Way to skip html escaping code blocks? HOT 1
- Can't allow `<picture>` and `<source>` HOT 1
- Add url prefix for tags such as `a`, `img` and `iframe` HOT 3
- Error when using & and amp in url
- Strip only single attribute HOT 3
- Trailing spaces in style attributes break sanitizing
- Is there a way to allow all URL schemes? HOT 3
- Sanitization removes spacing HOT 1
- How to retain URL? HOT 1
- Option to add spaces HOT 2
- SVG policy HOT 1
- <a> tags in tables not matched correctly HOT 1
- New maintainers for bluemonday in 2024 HOT 1
- Filter multiple class values through whitelist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluemonday.