Closed jtamary closed 4 years ago
@buro9 any thoughts?
As per comment in the PR... yeah, that would be the thing to change. But I am curious as to what use an iframe is that has no attributes?
@buro9 What's the rationale for preventing something like the following, this is an example of an iframe
copy/pasted directly from youtube:
in := `<iframe width="560" height="315" src="https://www.youtube.com/embed/BIvezCVcsYs" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>`
p := bluemonday.UGCPolicy()
p.AllowElements("iframe")
out := p.Sanitize(in)
fmt.Printf("out: %q\n", out)
// out: ""
@mfridman it is a whitelist:
p.AllowElements("iframe")
p.AllowAttrs("width").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("height").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("src").OnElements("iframe")
p.AllowAttrs("frameborder").Matching(bluemonday.Number).OnElements("iframe")
p.AllowAttrs("allow").Matching(regexp.MustCompile(`[a-z; -]*`)).OnElements("iframe")
p.AllowAttrs("allowfullscreen").OnElements("iframe")
@buro9 Ah thanks, it's whitelist all the way down. Which, upon reflection, is the entire point. Not sure why I thought it'd be possible to "blanket" an entire element.
Tricky part with iframes is different providers might have different attributes, but that's okay. The attributes grow organically over time.
Thanks!
I do not trust IFRAMEs and do not trust 3rd party content by allowing them through my bluemonday policies.
Instead I have a list of trusted third parties https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L229-L240 and when I see links of a particular format that matches those (i.e. a YouTube video) then I will replace the link with a version of the embed HTML that I control https://github.com/microcosm-cc/microcosm/blob/master/models/link_embedmedia.go#L303-L344 . This happens as the final step in my content processing, and because I control the embed HTML I trust that, and it does require me to also trust the third parties.
This means that on the forums I run a person can just paste in the YouTube URI and it gets auto-embedded without risking letting any 3rd party content through, for example https://www.lfgss.com/conversations/136127/?offset=2525#comment14682852 and I keep the original URI above the embed so that if the third party fails then the link will always work.
The other advantage of this approach is that it means that you could update the content-security-policy to match that list of third parties to de-risk your site further (from untrusted third parties).
@buro9 That's really useful information, thanks for sharing that!
Closing as answered
Hey
I've tried to add iframe to the whitelist, but it still sanitize iframes.
Example code:
Any help will be awesome.
Thanks, Jonathan