mahara-contributors team mailing list archive

Thread
Date

[Bug 1992702] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1992702@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Oct 2022 00:27:34 -0000
Reply-to: Bug 1992702 <1992702@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/c/mahara/+/13230
Committed: https://git.mahara.org/mahara/mahara/commit/07581d499779c0e6f03a521ddf09c9531d416d19
Submitter: "Robert Lyon <robertl@xxxxxxxxxxxxxxx>"
Branch:    main

commit 07581d499779c0e6f03a521ddf09c9531d416d19
Author: Nathan Nguyen <nathannguyen@xxxxxxxxxxxxxxx>
Date:   Thu Oct 13 15:00:13 2022 +1100

Bug#1992702 enable css.trusted: position, left, right, top, bottom,
z-index

Html purifier remove these in 'style' attribute.
We will need it so that embeded content can be displayed properly

Change-Id: I1bd07fb42bebbd33f9924d2f4986c1f975933483

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1992702

Title:
  Allow a certain style attribute in HTMLPurifier for Canva iframe

Status in Mahara:
  Fix Committed

Bug description:
  We have embed code generated by Canva
  However, Htmlpurifier removes 'style' attribute on iframe and hence the embed content is not displayed properly.

  I am looking to add 'style' as allowed attribute for iframe, but it may have some security implication, refer https://bugs.launchpad.net/mahara/+bug/1843154
   
  There is another option, that is using 'class', but it will require user to change the embed code.


  Example embed code
  <div style="position: relative; width: 100%; height: 0; padding-top: 56.2500%;
   padding-bottom: 0; box-shadow: 0 2px 8px 0 rgba(63,69,81,0.16); margin-top: 1.6em; margin-bottom: 0.9em; overflow: hidden;
   border-radius: 8px; will-change: transform;">
    <iframe loading="lazy" style="position: absolute; width: 100%; height: 100%; top: 0; left: 0; border: none; padding: 0;margin: 0;"
      src="https://sourceurl"; allowfullscreen="allowfullscreen" allow="fullscreen">
    </iframe>
  </div>

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1992702/+subscriptions

References

[Bug 1992702] [NEW] iframe htmlpurifier style attribute
From: Nathan Nguyen, 2022-10-12