[Mahara-contributors] [Bug 1992702] Re: iframe htmlpurifier style attribute

Wed, 12 Oct 2022 16:53:46 -0700 

Using the class option wouldn't be great because we can't expect that
learners add a class in HTML. Therefore, using 'style' would be better.
Maybe we'd need to restrict what the style element could be so as not to
allow others that are not secure. The related report bug 1843154 may
give some idea of how other attributes were limited.

** Summary changed:

- iframe htmlpurifier style attribute
+ Allow a certain style attribute in HTMLPurifier for Canva iframe

** Changed in: mahara
       Status: New => Confirmed

** Changed in: mahara
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1992702

Title:
  Allow a certain style attribute in HTMLPurifier for Canva iframe

Status in Mahara:
  Confirmed

Bug description:
  We have embed code generated by Canva
  However, Htmlpurifier removes 'style' attribute on iframe and hence the embed 
content is not displayed properly.

  I am looking to add 'style' as allowed attribute for iframe, but it may have 
some security implication, refer https://bugs.launchpad.net/mahara/+bug/1843154
   
  There is another option, that is using 'class', but it will require user to 
change the embed code.


  Example embed code
  <div style="position: relative; width: 100%; height: 0; padding-top: 56.2500%;
   padding-bottom: 0; box-shadow: 0 2px 8px 0 rgba(63,69,81,0.16); margin-top: 
1.6em; margin-bottom: 0.9em; overflow: hidden;
   border-radius: 8px; will-change: transform;">
    <iframe loading="lazy" style="position: absolute; width: 100%; height: 
100%; top: 0; left: 0; border: none; padding: 0;margin: 0;"
      src="https://sourceurl"; allowfullscreen="allowfullscreen" 
allow="fullscreen">
    </iframe>
  </div>

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1992702/+subscriptions


_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to