Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iFrame is escaped in output and not working anymore #70

Closed
rehoehle opened this issue Nov 7, 2021 · 4 comments
Closed

iFrame is escaped in output and not working anymore #70

rehoehle opened this issue Nov 7, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@rehoehle
Copy link

rehoehle commented Nov 7, 2021

Since some versions there is a problem that iFrames are escaped in the output and the iframe is not visible. Before 10.4.18 i think it was working fine. Not the problem is that the youtube plugin for the RTE isn't working anymore.

Version is 10.4.21 (Composer latest version)

<p>&lt;iframe allowfullscreen frameborder="0" height="360"
  src="https://www.youtube.com/embed/fUEHlY8" width="640"&gt;&lt;/iframe&gt;</p>

So i have checked not a lot of tutorials and tested now over 2 hours all solutions.

In the Site TS-Config i have tested a low of things.

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

But nothing is working anymore. Is there a solution or a fix to solve the Problem? Do i miss something?

@ohader
Copy link
Member

ohader commented Nov 8, 2021

Currently there is no generic solution (yet) in typo3/html-sanitizer for this aspect - however the topic has been briefly discussed at


TypoScript configuration as shown above does not have any impact on typo3/html-sanitizer - that's on purpose:

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

Without explicitly defining allowed attributes for all(!) tags, the shown TypoScript configuration allows cross-site scripting - and that's exactly the reason typo3/html-sanitizer is more strict in this regard. The following proof-of-concept code demonstrates what is possible with those TypoScript settings from above:

<iframe src="javascript:alert('iframe-src')"></iframe>
<object data="null" type="text/invalid" onerror="alert('object-err')"></object>
<embed src="null" type="text/invalid" onload="alert('embed-err')" height="100" widht="100">

@ohader ohader added the enhancement New feature or request label Nov 15, 2021
@ohader
Copy link
Member

ohader commented Jan 17, 2022

Some additional research, this is for instance how mailtrap.io is embedding arbitrary mails in an <iframe>:

<iframe src="..." title="Message view" class="i6jjn6"
  sandbox="allow-popups-to-escape-sandbox allow-forms allow-pointer-lock allow-popups allow-presentation allow-orientation-lock allow-modals allow-same-origin"><p>Your browser does not support iframes.</p></iframe>

ohader added a commit to ohader/html-sanitizer that referenced this issue Oct 6, 2022
ohader added a commit that referenced this issue Oct 6, 2022
* [FEATURE] Introduce mandatory tag attributes (Related: #71)
* [TASK] Add iframe example scenario (Related: #70)
* [TASK] Add tests for Attr flag assignment
* [TASK] Add example for Attr::MANDATORY to README.md
* [TASK] Resolve todos in ScenarioTest
@ohader
Copy link
Member

ohader commented Oct 6, 2022

I've added a section on <iframe> to the tests, using new feature Attr::MANDATORY, which requires an attribute to be given and having specified values:

https://github.com/TYPO3/html-sanitizer/blob/main/tests/ScenarioTest.php#L162-L212

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG + Behavior::REMOVE_UNEXPECTED_CHILDREN)
    ->withName('scenario-test')
    ->withTags(
        (new Behavior\Tag('iframe'))->addAttrs(
            (new Behavior\Attr('id')),
            // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allow
            (new Behavior\Attr('allow'))->withValues(
                new Behavior\MultiTokenAttrValue(' ', 'fullscreen')
            ),
            // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
            (new Behavior\Attr('sandbox', Behavior\Attr::MANDATORY))->withValues(
                new Behavior\EmptyAttrValue(),
                new Behavior\MultiTokenAttrValue(
                    ' ',
                    'allow-downloads',
                    'allow-modals',
                    'allow-orientation-lock',
                    'allow-pointer-lock',
                    'allow-popups',
                    'allow-scripts'
                )
            ),
            (new Behavior\Attr('src'))->withValues(
                ...(new UriAttrValueBuilder())->allowSchemes('http', 'https')->getValues()
            )
        )
    );

@ohader
Copy link
Member

ohader commented Oct 20, 2022

I've extracted this to a stand-alone preset in PR #93

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants