[Mahara-contributors] [Bug 1992702] Re: Allow a certain style attribute in HTMLPurifier for Canva iframe

Thu, 13 Oct 2022 15:23:36 -0700 

Hi Kristina,

I have created a patch:

https://github.com/tuanngocnguyen/mahara/compare/main...tuanngocnguyen:mahara:bug_1992702-main

I have tried "git clone git://reviews.mahara.org/git/mahara", but got
time out issue. Since I am not familiar with the review process, I
attach the patch here for review. It would also great if you (or someone
else) can help me with the review.


** Patch added: 
"Bug#1992702_enable_css_trusted__position,_left,_right____Bug#1992702_add_style_as_allowed_.patch"
   
https://bugs.launchpad.net/mahara/+bug/1992702/+attachment/5623986/+files/Bug%231992702_enable_css_trusted__position%2C_left%2C_right____Bug%231992702_add_style_as_allowed_.patch

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1992702

Title:
  Allow a certain style attribute in HTMLPurifier for Canva iframe

Status in Mahara:
  Confirmed

Bug description:
  We have embed code generated by Canva
  However, Htmlpurifier removes 'style' attribute on iframe and hence the embed 
content is not displayed properly.

  I am looking to add 'style' as allowed attribute for iframe, but it may have 
some security implication, refer https://bugs.launchpad.net/mahara/+bug/1843154
   
  There is another option, that is using 'class', but it will require user to 
change the embed code.


  Example embed code
  <div style="position: relative; width: 100%; height: 0; padding-top: 56.2500%;
   padding-bottom: 0; box-shadow: 0 2px 8px 0 rgba(63,69,81,0.16); margin-top: 
1.6em; margin-bottom: 0.9em; overflow: hidden;
   border-radius: 8px; will-change: transform;">
    <iframe loading="lazy" style="position: absolute; width: 100%; height: 
100%; top: 0; left: 0; border: none; padding: 0;margin: 0;"
      src="https://sourceurl"; allowfullscreen="allowfullscreen" 
allow="fullscreen">
    </iframe>
  </div>

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1992702/+subscriptions


_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to