Kumascript does not allow to output object or iframe tag

RESOLVED FIXED

Status

developer.mozilla.org
Editing
P1
normal
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Jeremie, Unassigned)

Tracking

(Depends on: 1 bug)

Details

(Reporter)

Description

6 years ago
See : https://developer.mozilla.org/en-US/docs/SVG/Element/circle and https://developer.mozilla.org/en-US/docs/Template:EmbedSVG

The EmbedSVG template is not able to output an object or an iframe to display he required SVG file.
Kumascript output gets sanitized by Bleach in the same way as user-produced markup. There is no exception for Kumascript. 

So, if a tag isn't whitelisted (eg. object or iframe), neither manually-authored nor Kumascript-generated markup can use that tag.

We can add <object> or <iframe> to the Bleach whitelist, but that would allow both Kumascript and anyone editing documents to use those tags.
(Reporter)

Comment 2

6 years ago
In order to limit security risk, is it possible to white list iframe only if they carry the sandbox attribute (only with the 'allow-scripts' value)?
Hmm, no, I don't think the filtering works that way. We can allow tags and specific attributes on tags - but not tags with certain attributes
(Reporter)

Comment 4

6 years ago
Mmmmh... this means that we really need the live sample feature ASAP
Yes, this will likely be covered by live examples or file attachment improvements. Marking it as a dependency of the latter for now. Will sort out further later.
Depends on: 766741
Priority: -- → P1
(Assignee)

Updated

6 years ago
Version: Kuma → unspecified
(Assignee)

Updated

6 years ago
Component: Docs Platform → Editing
Product: Mozilla Developer Network → Mozilla Developer Network
This should actually be addressed by live samples (bug 665735), which works now except for some UI improvements
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.