Add html generation for photo type embed previews #1334
Conversation
|
XSS is fun:
This is one benefit of using React elements over concatenating strings, as it takes care of escaping attribute values. Also why In this case, we must not allow user values ( |
|
@aduth aha, I did try to find a service where that was a problem, but it looked like the embed API returned safe values. Thanks for finding one that didn't, will change things 😄 |
|
Ok, switched to JSX for the photo preview. I was under the impression that the embed API supplied clean values, but now I see it was actually cloudup sanitising things. |
|
One-off sanitization scares me a bit. I'm looking at |
|
Yes, we absolutely should be doing sandboxing, but it's difficult. On the initial version of this block, we agreed that we'd just inject the html into a div for now, so we could get the block working, and look at sandboxing once it was done. I do not like the current implementation of HtmlEmbed, but the amount of work needed to get sandboxed iframes working correctly is not a small amount. Calypso has a resizing iframe, but it does not work by itself, there is more code needed to correctly calculate the height of embedded content for previews, and that code needs to be looked at and brought over into the HtmlEmbed component. It's not simple :( I'm looking at it though. |
|
I opened #1348 to track the sandboxing issue. |
|
Got the ok from @mtias to merge this, as long as we're working on the sandboxing. |
No description provided.