Open indygriffiths opened 5 years ago
Related to this: is it in the users' interest for us to be stripping iframes by default?
Re: iframes, we have a module for that in CWP: https://github.com/silverstripe/silverstripe-iframe/
Even with the silverstripe-iframe
module installed, does a CMS user following the step-by-step instructions provided by Google/Pardot/third party service know:
<iframe>
tag into each of the model fields)In regards to @sminnee's point I would argue no. I can see from a security standpoint why we would strip them, but if the module is installed (most of CWP since it's in the recipe) then users can embed iframes into pages anyway if they do know about the page type.
Braindump is a bit sidetracked from the original UX perspective of the issue, but probably good to note down anyway.
The default TinyMCE config doesn't allow users to save all types of HTML tags, such as iframes, as they pose a potential security issue if a CMS editor can insert one into the site content. When the form is saved with one of these blacklisted tags, the CMS lacks any feedback explaining why the tag was stripped from the output.
This is a common issue we're getting support requests for, for example users don't know why their Google Form or Pardot signup page can't be saved into the CMS, and most of the time they assume the CMS doesn't "support" Google Forms or Pardot.
This ticket isn't suggesting that we whitelist these tags, more how can we provide a better user experience when the CMS strips out non-whitelisted tags, such as adding a toast notification or a warning before the page is saved about the tag.