Closed Bug 781509 Opened 12 years ago Closed 12 years ago

Kumascript does not allow to output object or iframe tag

Categories

(developer.mozilla.org Graveyard :: Editing, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Jeremie, Unassigned)

References

Details

See : https://developer.mozilla.org/en-US/docs/SVG/Element/circle and https://developer.mozilla.org/en-US/docs/Template:EmbedSVG

The EmbedSVG template is not able to output an object or an iframe to display he required SVG file.
Kumascript output gets sanitized by Bleach in the same way as user-produced markup. There is no exception for Kumascript. 

So, if a tag isn't whitelisted (eg. object or iframe), neither manually-authored nor Kumascript-generated markup can use that tag.

We can add <object> or <iframe> to the Bleach whitelist, but that would allow both Kumascript and anyone editing documents to use those tags.
In order to limit security risk, is it possible to white list iframe only if they carry the sandbox attribute (only with the 'allow-scripts' value)?
Hmm, no, I don't think the filtering works that way. We can allow tags and specific attributes on tags - but not tags with certain attributes
Mmmmh... this means that we really need the live sample feature ASAP
Yes, this will likely be covered by live examples or file attachment improvements. Marking it as a dependency of the latter for now. Will sort out further later.
Depends on: mdn-attachments
Priority: -- → P1
Version: Kuma → unspecified
Component: Docs Platform → Editing
This should actually be addressed by live samples (bug 665735), which works now except for some UI improvements
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.