Allow a certain style attribute in HTMLPurifier (for Canva iframe and others)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
We have embed code generated by Canva
However, Htmlpurifier removes 'style' attribute on iframe and hence the embed content is not displayed properly.
I am looking to add 'style' as allowed attribute for iframe, but it may have some security implication, refer https:/
There is another option, that is using 'class', but it will require user to change the embed code.
Example embed code
<div style="position: relative; width: 100%; height: 0; padding-top: 56.2500%;
padding-bottom: 0; box-shadow: 0 2px 8px 0 rgba(63,
border-radius: 8px; will-change: transform;">
<iframe loading="lazy" style="position: absolute; width: 100%; height: 100%; top: 0; left: 0; border: none; padding: 0;margin: 0;"
src="https:/
</iframe>
</div>
Changed in mahara: | |
status: | Confirmed → In Progress |
milestone: | none → 23.04.0 |
Changed in mahara: | |
importance: | Medium → Wishlist |
Changed in mahara: | |
milestone: | 23.04.0 → 22.10.0 |
status: | In Progress → Fix Committed |
tags: | added: newfeature |
summary: |
- Allow a certain style attribute in HTMLPurifier for Canva iframe + Allow a certain style attribute in HTMLPurifier (for Canva iframe and + others) |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Using the class option wouldn't be great because we can't expect that learners add a class in HTML. Therefore, using 'style' would be better. Maybe we'd need to restrict what the style element could be so as not to allow others that are not secure. The related report bug 1843154 may give some idea of how other attributes were limited.