3liz
[Bug]: popup - iframe stop working on LWC 3.8
What is the bug? (in English)
LWC 3.7.11
popup shows iframe in second table
LWC 3.8.3-pre
popup doesn´t show iframe in second table
LWC 3.7.11 and LWV 3.8.3-pre
data - everything works fine
Steps to reproduce the issue
try beteween these versions
Versions, safeguards, check summary etc
Versions :
- Lizmap Web Client : 3.8.3-pre.7994
- Lizmap plugin : 4.4.2
- QGIS Desktop : 3.34.11
- QGIS Server : 3.34.11
- Py-QGIS-Server : not used
- QGIS Server plugin atlasprint : 3.4.1
- QGIS Server plugin lizmap_server : 2.11.0
- QGIS Server plugin wfsOutputExtension : 1.8.2
List of Lizmap Web Client modules :
* multiauth : 1.2.2
List of safeguards :
* Mode : normal * Allow parent folder : no * Prevent other drive : no * Prevent PG service : no * Prevent PG Auth DB : no * Force PG user&pass : no * Prevent ECW : no
Check Lizmap plugin
- [X] I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.
Operating system
Ubuntu 22.04
Browsers
Firefox
Browsers version
131.0.2
Relevant log output
No response
this is the console output:
strange output... it's the same permissions to show the document in table (data tool) and as i said before on lwc 3.7 all works fine for popup tool and also for data tool
https://github.com/3liz/lizmap-web-client/blob/fd79e9701f32ff63ba39390f65738b02af3628d1/lizmap/modules/view/controllers/media.classic.php#L106
protected function error403($message)
{
/** @var jResponseJson $rep */
$rep = $this->getResponse('json');
$rep->data = array('error' => '403 forbidden (you\'re not allowed to access to this media)', 'message' => $message);
$rep->setHttpStatus('403', 'Forbidden');
return $rep;
}
@josemvm that's now sanified as well as all html tags to any dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.
@josemvm that's now sanified as all html tags to dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.
@Antoviscomi yes i really understand the security issues but there should also be the possibility of creating exceptions for what is truly secure, i think
@josemvm right but doesn't works without a parent layer, that is, if the layer that allows the iframe to be displayed does not have a parent or a relation setted I suppose. Furthermore the content you need to serve is a static file (.pdf) not a dynamic object, so the sanitization problem in case of dynamic content (in example html document with bookmarks) remains unsolved
@josemvm right but doesn't works without a parent layer
yes, but it's very strange...
The transfer of “https://xxx.yyy.zzz/index.php/view/media/getMedia?repository=ma&project=operacoesU&path=media%2Fp_rusticos%2FR-ARL-C-2.pdf” was blocked because the iframe where it was triggered has the sandbox tag defined.
@josemvm not in mine as you can see below using
<br>
<p><iframe src=[%"n_link"%] width="540" height="700"></iframe></p>
</br>
and where [%"n_link"%] is the field containing the url of the html file callable from my internal domain
https://github.com/user-attachments/assets/e5f066c1-f866-453b-a485-7a43513cba77
@josemvm You are just reopening this ticket by only copy/pasting your error, without context.
From your error :
the iframe where it was triggered has the sandbox tag defined
Please search at least what sandbox means and share the code of the popup. Did you define sandbox in your popup ?
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
If sandbox is present, then it's more "secure" than "not present".
Like the iframe of @Antoviscomi which doesn't have the sandbox attribute.
@josemvm You are just reopening this ticket by only copy/pasting your error, without context.
From your error :
the iframe where it was triggered has the sandbox tag defined
Please search at least what
sandboxmeans and share the code of the popup. Did you definesandboxin your popup ?https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
If sandbox is present, then it's more "secure" than "not present".
Like the iframe of @Antoviscomi which doesn't have the
sandboxattribute.
@Gustry @josemvm the behaviour it's correct with sandbox attribute also, for me:
<p><iframe src=[%"n_link"%] width="540" height="700" sandbox></iframe></p>
in dev browser console I read:
<iframe height="700" width="540" src="http://myhost/webgis/document/Norme_Attuative.html#AEA" sandbox="allow-scripts allow-forms"></iframe>
so I confirm there is not an issue in mine
Yes, the sandbox atrribute can be added, but then it's up to the web server, (not related to Lizmap), to accept or not the request to serve the HTML content.
Hum, not so sure, the iframe code can be analyzed from the webbrowser to see which attributes the sandbox can have after DOMPurify
https://github.com/3liz/lizmap-web-client/blob/7c5b679158c0101166ff020bb37bdc7f460ffb36/assets/src/modules/Utils.js#L214
hi @Gustry and @Antoviscomi thanks for your help!
my error from firefox console:
Download of “https://xxx.yyy.zzz/index.php/view/media/getMedia?repository=ma&project=operacoesU&path=media%2Fp_rusticos%2FR-GAFSAB-B-1.pdf” was blocked because the triggering iframe has the sandbox flag set.
I don't have any sandbox attributes
i'm using "popupSource": "lizmap" like this template:
<table>
<tr><td>Caderneta <i>Offline</i></td></tr>
<tr><td><iframe src="{$Caderneta Offline}" width="100%" height="500px"</iframe></td></tr>
</table>
on lwc 3.7.4 everything works fine!
The lizmap popup for vector layer is deprecated, please use the button to transform to maptip.
What is the result in the browser about the iframe code generated ?
@Antoviscomi the same result...
<br>
<p><iframe src=[%"n_link"%] width="540" height="700"></iframe></p>
</br>
your code comes from the .qgs file or .cfg file (popup template)?
The lizmap popup for vector layer is deprecated, please use the button to transform to maptip.
if i transform to maptip the layer disappears from the map tree...
after conversion the popup, the html code will be in the .qgs file (?)
and into the cfg file it should be "popupSource": "qgis" and the template should be empty?
we have ore control over the template in the cfg file, like in tootip layers template
we have ore control over the template in the cfg file, like in tootip layers template
Sorry, I don't understand, what do you mean ? "more control" I guess, which control ? QGIS Expressions are way more powerful.
Sorry @josemvm I still don't understand, using a Lizmap popup for a vector layer is really discouraged :
more control, i'm talking about editing html code
All the HTML can be tweaked, either in QGIS HTML Maptip window. When using a "QGIS HTML Maptip", have you tried this two buttons ?
I'm curious by "more control about editing HTML code".
@Antoviscomi the same result...
<br> <p><iframe src=[%"n_link"%] width="540" height="700"></iframe></p> </br>your code comes from the .qgs file or .cfg file (popup template)?
My code came from QGIS html 'Layer suggestion' dialog (so it is QGIS Maptip dialog from layer properties in TOC), then is stored in .qgs by Lizmap plugin