TYPO3
iFrame is escaped in output and not working anymore
Since some versions there is a problem that iFrames are escaped in the output and the iframe is not visible. Before 10.4.18 i think it was working fine. Not the problem is that the youtube plugin for the RTE isn't working anymore.
Version is 10.4.21 (Composer latest version)
<p><iframe allowfullscreen frameborder="0" height="360"
src="https://www.youtube.com/embed/fUEHlY8" width="640"></iframe></p>
So i have checked not a lot of tutorials and tested now over 2 hours all solutions.
In the Site TS-Config i have tested a low of things.
RTE.default.proc {
allowTags := addToList(object,param,embed,iframe)
allowTagsOutside := addToList(object,embed,iframe)
entryHTMLparser_db.allowTags < .allowTags
}
But nothing is working anymore. Is there a solution or a fix to solve the Problem? Do i miss something?
Currently there is no generic solution (yet) in typo3/html-sanitizer for this aspect - however the topic has been briefly discussed at
- https://forge.typo3.org/issues/94917
- https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5
TypoScript configuration as shown above does not have any impact on typo3/html-sanitizer - that's on purpose:
RTE.default.proc {
allowTags := addToList(object,param,embed,iframe)
allowTagsOutside := addToList(object,embed,iframe)
entryHTMLparser_db.allowTags < .allowTags
}
Without explicitly defining allowed attributes for all(!) tags, the shown TypoScript configuration allows cross-site scripting - and that's exactly the reason typo3/html-sanitizer is more strict in this regard. The following proof-of-concept code demonstrates what is possible with those TypoScript settings from above:
<iframe src="javascript:alert('iframe-src')"></iframe>
<object data="null" type="text/invalid" onerror="alert('object-err')"></object>
<embed src="null" type="text/invalid" onload="alert('embed-err')" height="100" widht="100">
Some additional research, this is for instance how mailtrap.io is embedding arbitrary mails in an <iframe>:
<iframe src="..." title="Message view" class="i6jjn6"
sandbox="allow-popups-to-escape-sandbox allow-forms allow-pointer-lock allow-popups allow-presentation allow-orientation-lock allow-modals allow-same-origin"><p>Your browser does not support iframes.</p></iframe>
I've added a section on <iframe> to the tests, using new feature Attr::MANDATORY, which requires an attribute to be given and having specified values:
https://github.com/TYPO3/html-sanitizer/blob/main/tests/ScenarioTest.php#L162-L212
$behavior = (new Behavior())
->withFlags(Behavior::ENCODE_INVALID_TAG + Behavior::REMOVE_UNEXPECTED_CHILDREN)
->withName('scenario-test')
->withTags(
(new Behavior\Tag('iframe'))->addAttrs(
(new Behavior\Attr('id')),
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allow
(new Behavior\Attr('allow'))->withValues(
new Behavior\MultiTokenAttrValue(' ', 'fullscreen')
),
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
(new Behavior\Attr('sandbox', Behavior\Attr::MANDATORY))->withValues(
new Behavior\EmptyAttrValue(),
new Behavior\MultiTokenAttrValue(
' ',
'allow-downloads',
'allow-modals',
'allow-orientation-lock',
'allow-pointer-lock',
'allow-popups',
'allow-scripts'
)
),
(new Behavior\Attr('src'))->withValues(
...(new UriAttrValueBuilder())->allowSchemes('http', 'https')->getValues()
)
)
);