← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #17324

[Bug 1286935] [NEW] Allowed iframe check doesn't handle URLs with a question mark immediately after the domain name

  Thread PreviousDate PreviousThread Next 
Public bug reported:

See https://mahara.org/interaction/forum/topic.php?id=6124

In the Mahara forums, a user reported this issue with an embed code for
hapyak.com. The full embed code:

<iframe
src="//hapyak.com?embed=true&amp;edit=false&amp;startInEditMode=false&amp;track=15572&amp;project=3162&amp;key=2a69d0613a6a43b5a613&amp;source=youtube&amp;source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&amp;controls=true&amp;nativeControls=false&amp;reset_variables=true&amp;autoplay=false&amp;aspect_ratio=1.3328"
class="hapyak-embed" marginwidth="0" marginheight="0" allowfullscreen=""
webkitallowfullscreen="" mozallowfullscreen="" frameborder="no"
height="699" scrolling="no" width="853"></iframe>

Note that the URL starts with "//hapyak.com?embed=true...". If you
change that to "//hapyak.com/?embed=true..." then it works. It looks
like the problem is that the regular expression we use to identify
iframes with a valid URL, doesn't handle the scenario of a URL where
there's a query component but no path component. In other words, a "?"
immediately after the domain name.

** Affects: mahara
     Importance: Medium
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed


** Tags: externalvideo iframes

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1286935

Title:
  Allowed iframe check doesn't handle URLs with a question mark
  immediately after the domain name

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  See https://mahara.org/interaction/forum/topic.php?id=6124

  In the Mahara forums, a user reported this issue with an embed code
  for hapyak.com. The full embed code:

  <iframe
  src="//hapyak.com?embed=true&amp;edit=false&amp;startInEditMode=false&amp;track=15572&amp;project=3162&amp;key=2a69d0613a6a43b5a613&amp;source=youtube&amp;source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&amp;controls=true&amp;nativeControls=false&amp;reset_variables=true&amp;autoplay=false&amp;aspect_ratio=1.3328"
  class="hapyak-embed" marginwidth="0" marginheight="0"
  allowfullscreen="" webkitallowfullscreen="" mozallowfullscreen=""
  frameborder="no" height="699" scrolling="no" width="853"></iframe>

  Note that the URL starts with "//hapyak.com?embed=true...". If you
  change that to "//hapyak.com/?embed=true..." then it works. It looks
  like the problem is that the regular expression we use to identify
  iframes with a valid URL, doesn't handle the scenario of a URL where
  there's a query component but no path component. In other words, a "?"
  immediately after the domain name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1286935/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next