newism / craft3-fields

Address, telephone, email, embed and gender fields for CraftCMS 3.x
Other
54 stars 16 forks source link

Prevent POSTing of embed data preview #26

Closed domstubbs closed 6 years ago

domstubbs commented 6 years ago

Thanks for a really useful plugin. I’m using the Embed fields and noticed that when I saved an entry with a Vimeo embed in Safari the preview failed to render when the page reloaded. This was coupled with an error in the console:

The XSS Auditor refused to execute a script in 'http://xyz.test/manage/entries/foo/5-slug' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.

It looks as though the XSS auditor is picking up on the fact that the Embed Data preview field contains iframe code that is POSTed with the save request, then it detects that Craft tries to output said iframe on the next page, which seems fishy, so it refuses to display the iframe.

Disabling the preview field prevents it from being POSTed and fixes the XSS error, so previews work reliably.

leevigraham commented 6 years ago

@domstubbs This looks good… Can you just double check for me that changing the embed raw input on an existing entry still saves. I'm 99.99% sure it will as we parse the raw input when the data is normalised on post.

https://github.com/newism/craft3-fields/blob/master/src/fields/Embed.php#L104

domstubbs commented 6 years ago

Ah I didn’t spot that you were doing that.

I’ve just double checked and populating/removing/replacing URLs still works as normal, so we’re all good.