mahara-contributors team mailing list archive

Thread
Date

[Bug 1992702] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1992702@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Oct 2022 00:27:34 -0000
Reply-to: Bug 1992702 <1992702@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/c/mahara/+/13229
Committed: https://git.mahara.org/mahara/mahara/commit/3611d15a8d3704508e858059ccd347a06ba6a2ed
Submitter: "Robert Lyon <robertl@xxxxxxxxxxxxxxx>"
Branch:    main

commit 3611d15a8d3704508e858059ccd347a06ba6a2ed
Author: Nathan Nguyen <nathannguyen@xxxxxxxxxxxxxxx>
Date:   Thu Oct 13 14:22:36 2022 +1100

Bug#1992702 add style as allowed attribute for iframe

HTML purifier remove style attribute from iframe.
Some embed contents (such as those generated from Canva) require 'style' so that they can be displayed properly

Change-Id: Ie66616d8a17177f342389165954e13015d1dd26b

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1992702

Title:
  Allow a certain style attribute in HTMLPurifier for Canva iframe

Status in Mahara:
  Fix Committed

Bug description:
  We have embed code generated by Canva
  However, Htmlpurifier removes 'style' attribute on iframe and hence the embed content is not displayed properly.

  I am looking to add 'style' as allowed attribute for iframe, but it may have some security implication, refer https://bugs.launchpad.net/mahara/+bug/1843154
   
  There is another option, that is using 'class', but it will require user to change the embed code.


  Example embed code
  <div style="position: relative; width: 100%; height: 0; padding-top: 56.2500%;
   padding-bottom: 0; box-shadow: 0 2px 8px 0 rgba(63,69,81,0.16); margin-top: 1.6em; margin-bottom: 0.9em; overflow: hidden;
   border-radius: 8px; will-change: transform;">
    <iframe loading="lazy" style="position: absolute; width: 100%; height: 100%; top: 0; left: 0; border: none; padding: 0;margin: 0;"
      src="https://sourceurl"; allowfullscreen="allowfullscreen" allow="fullscreen">
    </iframe>
  </div>

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1992702/+subscriptions

References

[Bug 1992702] [NEW] iframe htmlpurifier style attribute
From: Nathan Nguyen, 2022-10-12