[5.1] Allow PDF embeding again

[bembelimen]

Pull Request for Issue #43407 & #43365 .

Summary of Changes

The security hardening adds an empty "sandbox" attribute to every iframe (read more). This prevents PDFs insert by the media manager loaded (it needs more fine granulated sandbox values)

With TinyMCE 7 you can whitelist certain domains, which will overcome this problem, but till then, this filter is super strict and not usable.

Testing Instructions

Use the media manager to embed a PDF. Save the article and open article in frontpage.

Actual result BEFORE applying this Pull Request

• PDF is blocked

Expected result AFTER applying this Pull Request

• Go to the TinyMCE configuration and disable the following option:
  

• PDF is visible

[drmenzelit]

I have tested this item ✅ successfully on 46a404f

Thank you

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[SniperSister]

Revert broken security fix

It's not broken and it's not a "bug". It's exactly doing what it's supposed to do: it limits the possible actions that an iframe can perform to protect the user from unexpected script execution.

So, the question actually is: does the CMS want to enforce the strictest possible security configuration for the editor, at least by default? Or is the comfort in the content creation process more important?

That's a question that's probably worth a vote in the production department meeting.

[drmenzelit]

I'm for security, of course, but it should at least be possible to embed a local PDF ...
#43407 (comment)

[RickR2H]

I have tested this item ✅ successfully on 46a404f

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[RickR2H]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[Fedik]

TBH, I have no idea why it is called security,
Crossorigin is not easy to bypass without extra effort, by just embed iframe,
And all local embendings, well, they will be need to be enabled in one or in another way.

We just making life for average User more complicated. They can just switch to codemirror, or none editor, and all this "theorethical security" will disapears.

[SniperSister]

We are not talking about a CORS but about user experience and perception. Imagine an editor copy&pasting an iframe tag to an external site into the editor window of his companies intranet. On paste, the iframe will be loaded automatically - and without sandboxing, that iframe could i.e. trigger a file download. The user is now under the impression that this download is triggered by a trusted source, which is the Joomla administrator interface of his intranet - whereas the download is actually triggered by the untrusted iframe site.

I'm not necessarily saying, that this is an important threat scenario for the average user, I just want to point out that the issue is not related to crossorigin or samesite policies.

[Fedik]

We can make a TinyMCE plugin, that shows an alert for potentialy dangerous iframe (and let User decide what to do), when User insert something in the editor. instead of totaly blocking everything.

[RickR2H]

Maybe its an option to extend the TinyMCE plugin with the basic configuration for the sandbox parameters so a domain could be added to allow the PDF iframe?

[bembelimen]

Now with parameter. Ready to test again :)

[RickR2H]

I have tested this item ✅ successfully on 12ac335

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[SniperSister]

I have tested this item ✅ successfully on 12ac335

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[chmst]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43716.}

[LadySolveig]

Thank you @bembelimen and also for testing and review @drmenzelit @SniperSister @RickR2H @Fedik @brianteeman