Allow style tag iframe in post content #2611
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e restricted to certain llms elements rather than all post models.
|
I think this is fine. Technically, the style tag can be used to push the iframe out to cover the whole screen, which could allow that iframe to mimic the site in a dangerous way. But the danger here is in adding the iframe in the first place and setting the src attribute to something untrusted that would abuse that. We want course builders to be able to embed and even style iframes within their courses. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Allow style attributes to be included in iframe tags. From what I can see this should be fine, but would like a second take on any security implications of this that I might have missed.
Fixes #2610
How has this been tested?
Manually
Checklist: