AllowElements iframe doesn't work about bluemonday HOT 8 CLOSED

@buro9 any thoughts?

from bluemonday.

As per comment in the PR... yeah, that would be the thing to change. But I am curious as to what use an iframe is that has no attributes?

from bluemonday.

@buro9 What's the rationale for preventing something like the following, this is an example of an iframe copy/pasted directly from youtube:

in := `<iframe width="560" height="315" src="https://www.youtube.com/embed/BIvezCVcsYs" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>`

p := bluemonday.UGCPolicy()
p.AllowElements("iframe")

out := p.Sanitize(in)

fmt.Printf("out: %q\n", out)
// out: ""

from bluemonday.

@mfridman it is a whitelist:

	p.AllowElements("iframe")
	p.AllowAttrs("width").Matching(bluemonday.Number).OnElements("iframe")
	p.AllowAttrs("height").Matching(bluemonday.Number).OnElements("iframe")
	p.AllowAttrs("src").OnElements("iframe")
	p.AllowAttrs("frameborder").Matching(bluemonday.Number).OnElements("iframe")
	p.AllowAttrs("allow").Matching(regexp.MustCompile(`[a-z; -]*`)).OnElements("iframe")
	p.AllowAttrs("allowfullscreen").OnElements("iframe")

from bluemonday.

@buro9 Ah thanks, it's whitelist all the way down. Which, upon reflection, is the entire point. Not sure why I thought it'd be possible to "blanket" an entire element.

Tricky part with iframes is different providers might have different attributes, but that's okay. The attributes grow organically over time.

Thanks!

from bluemonday.

I do not trust IFRAMEs and do not trust 3rd party content by allowing them through my bluemonday policies.

Instead I have a list of trusted third parties https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L229-L240 and when I see links of a particular format that matches those (i.e. a YouTube video) then I will replace the link with a version of the embed HTML that I control https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L303-L344 . This happens as the final step in my content processing, and because I control the embed HTML I trust that, and it does require me to also trust the third parties.

This means that on the forums I run a person can just paste in the YouTube URI and it gets auto-embedded without risking letting any 3rd party content through, for example https://www.lfgss.com/conversations/136127/?offset=2525#comment14682852 and I keep the original URI above the embed so that if the third party fails then the link will always work.

The other advantage of this approach is that it means that you could update the content-security-policy to match that list of third parties to de-risk your site further (from untrusted third parties).

from bluemonday.

@buro9 That's really useful information, thanks for sharing that!

from bluemonday.

Closing as answered

from bluemonday.