Allow iframe tag in HTML field

[TFleury]

Currently iframe tags are removed by HtmlSanitizerService when SanitizeHtml option is enabled.

Could we consider adding iframe to AllowedTags, or is there a vulnerability here ?

[Skrypt]

Looks like a vulnerabiity fix to me.

[TFleury]

Maybe, but if you want to be able to embed video or map you've to turn off SanitizeHtml which allows more vulnerabilities.

What's the risk in allowing iframes ? What kinds of exploits relies on it ?

[hishamco]

Totally agree with @Skrypt, but embedding videos and maps make sense to me, this is widely used websites, @deanmarcussen your though

[Skrypt]

You can inject any website page within an iframe. Also any javascript that would alter the current page content.
For videos, don't we use shortcodes that will render an iframe with specific elements (managed)?

[deanmarcussen]

https://owasp.org/www-community/attacks/Cross_Frame_Scripting

but if you want to allow it yourself, the sanitizer is configurable.

https://docs.orchardcore.net/en/dev/docs/reference/core/Sanitizer/

Or a shortcode that creates the iframe (will only work with the HtmlBodyPart)

[hishamco]

For videos, don't we use shortcodes that will render an iframe with specific elements (managed)?

Ya

[davidhayden]

You can configure the sanitizer to allow iframe tags.

services
    .AddOrchardCms()
    .ConfigureServices(tenantServices =>
        tenantServices.ConfigureHtmlSanitizer((sanitizer) =>
        {
            sanitizer.AllowedTags.Add("iframe");
        })
    );```