7azin
commented
1 year ago This is only there to embed IFrames. I am not GDPR professional, to my simple search it looks alright to use them Do you have more concrete info about it?
I will add filters to make sure this will only be IFrames. Once we have it more in place we will check into which direction it should go. Right now there are wishes to include Youtube Videos and a tool that one SB member developed concerning the Wegweiser action.
We can talk for sure personally about it. I am curious to hear your ideas
apriljunge
The embed component is an actual security risk (XSS). It should be completely replaced or (if it's really not possible to do otherwise) at least more security layers have to be added.
At the moment the code is not filtered at all. This should be avoided at all costs, especially in a CMS that is used by multiple actors. Even if user rights are restricted, the danger of malicious code is reduced, but not eliminated.
Despite of the security risk, you do not have any control about layout, services, etc. This is also an issue with GDPR and cookie law. Third party scripts and cookies could be loaded without any consent of the user. Even if you wanted, you could not add a cookie banner, because you can't know what services are used for this component.
As this component is called Embed, I am assuming you want to embed things like image galleries, videos or social media posts? I think there are better solutions. Maybe we can discuss that to find a better and GDPR compatible solution.