Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.1] Allow PDF embeding again #43716

Merged
merged 5 commits into from
Jul 2, 2024
Merged

[5.1] Allow PDF embeding again #43716

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
46a404f
Revert security fix breaking all PDFs
bembelimen Jun 27, 2024
ae1879a
Make the iframe sandbox a parameter in tinymce
bembelimen Jun 29, 2024
12ac335
Merge branch '5.1-dev' into tinymce/fix-security-change
bembelimen Jun 29, 2024
9000152
Update administrator/language/en-GB/plg_editors_tinymce.ini
LadySolveig Jul 1, 2024
2183b49
Merge branch '5.1-dev' into tinymce/fix-security-change
LadySolveig Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions administrator/language/en-GB/plg_editors_tinymce.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,4 +96,6 @@ PLG_TINY_TOOLBAR_BUTTON_FONTSIZESELECT="Font Size Select"
PLG_TINY_TOOLBAR_BUTTON_FORMATSELECT="Format Select"
PLG_TINY_TOOLBAR_BUTTON_SEPARATOR="Separator"
PLG_TINY_TOOLBAR_BUTTON_STYLESELECT="Style Select"
PLG_TINY_FIELD_SANDBOX_IFRAMES_LABEL="Sandbox Iframes"
PLG_TINY_FIELD_SANDBOX_IFRAMES_DESC="This is a security feature that restricts what the iframe can do by setting a sandbox attribute for each iframe. It is recommended to enable this feature for security reasons. Only disable if the iframe is not loading and you're sure that the iframed content is safe."
PLG_TINY_XML_DESCRIPTION="TinyMCE is a platform independent web based JavaScript HTML WYSIWYG Editor. Using <strong>sets</strong> you can configure and customise the editor for every user group."
12 changes: 12 additions & 0 deletions plugins/editors/tinymce/forms/setoptions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,18 @@
showon="use_config_textfilters:0"
/>

<field
name="sandbox_iframes"
type="radio"
label="PLG_TINY_FIELD_SANDBOX_IFRAMES_LABEL"
description="PLG_TINY_FIELD_SANDBOX_IFRAMES_DESC"
layout="joomla.form.field.radio.switcher"
default="1"
>
<option value="0">JOFF</option>
<option value="1">JON</option>
</field>

<!-- Extra plugins -->
<field
name="resizing"
Expand Down
3 changes: 2 additions & 1 deletion plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,8 @@ public function display(string $name, string $content = '', array $attributes =
'promotion' => false,

// Hardened security
'sandbox_iframes' => true,
// @todo enable with TinyMCE 7 using https://www.tiny.cloud/docs/tinymce/latest/content-filtering/#sandbox-iframes-exclusions otherwise all embed PDFs are broken
'sandbox_iframes' => (bool) $levelParams->get('sandbox_iframes', true),
'convert_unsafe_embeds' => true,

// Specify the attributes to be used when previewing a style. This prevents white text on a white background making the preview invisible.
Expand Down