metacatui icon indicating copy to clipboard operation
metacatui copied to clipboard

Published 20 hours ago verified publisher icon NCEAS

Allow iFrames from trusted sources in MarkdownView

Open robyngit opened this issue 1 year ago • 0 comments
trafficstars

  • Update Showdown.js (markdown renderer) to the latest version
  • Allow iFrames through the xss filter with limited attributes so that they can be processed by the new Showdown extension
  • Add a new Showdown extension to allow iFrames from trusted urls, and filter out those from any other url
  • Add a property in the AppModel to store the list of trusted sources. These urls can contain wild cards, e.g. https://*dataone.org*
  • Also add a sandbox attribute to the iFrame to limit the capabilities of the iFrame
  • Add the new Showdown extension to the MarkdownView

🧪 Testing

Currently, iframes can be added to markdown by adding the HTML code directly, e.g.:

<iframe src="www.youtube.com/embed/xvFZjo5PgG0?si=wLUW0M4qF4brYbeS" width="560" height="315"></iframe>

This portal has a bunch of iframes and other markdown for testing purposes: https://demo.arcticdata.io/portals/markdown-tests

robyngit avatar Sep 20 '24 01:09 robyngit