Autorise le collage d'un code iframe dans l'éditeur #5
Conversation
Allows users to paste iframe code directly into the block, which then extracts the URL, title, and attributes automatically. This improves the user experience by simplifying the process of embedding iframes. It also introduces the ability to manage iframe attributes directly from the block editor.
Adds a .wp-env.json file to enable plugin loading in the local WordPress development environment, facilitating testing of the plugin's features during development.
Improves the Iframe block by allowing users to paste iframe HTML code directly into the URL field. The block now parses the iframe code to extract the URL, title, and attributes, and pre-fills the corresponding fields. This change enhances the user experience by simplifying the process of embedding iframes.
Improves the iframe block by refining how iframe code is parsed and how the URL or iframe source is handled in the editor. It now correctly parses iframe tags, extracts attributes, and provides better user guidance for inputting iframe code or URLs. Also, excludes the `style` attribute from being extracted, as it requires object format in React.
Ensures a default aspect ratio of 1:1 for iframes that do not have an explicit aspect ratio defined. This prevents layout issues where the iframe might collapse or render incorrectly, especially during initial loading or when aspect ratio is not properly handled by the embedding context.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| ]; | ||
|
|
||
| return excludedAttrs.includes( attributeName.toLowerCase() ); | ||
| } |
There was a problem hiding this comment.
Unfiltered iframe attributes allow potential XSS attacks
High Severity
The isExcludedIframeAttribute function doesn't filter event handlers (onload, onerror, etc.) or the srcdoc attribute. When pasting iframe code with these attributes, they're extracted by parseIframeCode, stored, and rendered in the saved HTML via convertAttributesToProps. The srcdoc attribute is particularly dangerous as it allows embedding arbitrary HTML/JavaScript content. Malicious iframe code could execute JavaScript when the saved content is viewed.
Additional Locations (1)
| url: value, | ||
| iframeAttributes: [], | ||
| } ); | ||
| } |
There was a problem hiding this comment.
Editing URL clears previously extracted iframe attributes
Medium Severity
When iframe code is pasted, the URL is extracted and shown in the input field while iframeAttributes stores the parsed attributes. If the user then modifies the URL in any way (even a small edit), handleUrlChange no longer recognizes it as iframe code and sets iframeAttributes: [], silently discarding all previously extracted attributes like allowfullscreen or allow. This causes unexpected loss of iframe functionality when users make minor URL corrections.
Description
En plus de pouvoir une URL pour la source de l'iframe, il est désormais possible de coller directement un code HTML
<iframe>afin de faciliter la contribution.Note
Introduces iframe HTML parsing and attribute propagation for the
blockparty/iframeblock.iframeAttributestoblock.json;edit.jsnow accepts a pasted<iframe>(viaparseIframeCode) or URL, extractssrc,title, and other attributes, and renders them usingconvertAttributesToPropsutils.jswith helpers to parse iframe code, map HTML attributes to React props, handle boolean attributes, and exclude managed/deprecated onessave.jsapplies convertediframeAttributesto the saved<iframe>; placeholder copy updated (URL→Source) with guidance for pasting iframe codestyle.scsssets a defaultaspect-ratiowhen no ratio is specified; adds.wp-env.jsonfor local plugin setupWritten by Cursor Bugbot for commit fdffb96. This will update automatically on new commits. Configure here.