Contrib.social

Ckeditor 4.21 blocking iframe

Open on Drupal.org β†’
Created on 25 April 2023, over 1 year ago
Updated 24 May 2023, over 1 year ago

Problem/Motivation

The latest version of Ckeditor 4.21 now implements the sandbox attribute. If sandbox attributes are not set, iframes on your site may stop working. This is a major problem if you are using Filtered HTML and are not using ACF.

Steps to reproduce

  1. Download and install ckeditor 4.21 on a site that uses iframes.
  2. Create a new page or edit a page and set the text format to Filtered HTML
  3. Use an iframe and set the attributes
  4. Save the file

Once saved the iframe will not work. This is because sandbox="" by default.

Proposed resolution

  1. One workaround would be to allow users to set sandbox attributes.
  2. Another solution would be to add values to the dialog box in the advanced tabs.
  3. You can also add values to the advanced content filters.
  4. Add values to CKEDITOR.config.iframe_attributes. This is more of a fix to CKEDITOR, as opposed to the WYSIWYG module.
πŸ› Bug report
Status

Active

Version

2.9

Component

Editor - CKEditor

Created by

πŸ‡ΊπŸ‡ΈUnited States anthonyroundtree

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @anthonyroundtree
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States anthonyroundtree
  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany andrerb

    A possible solution is to add needed config described here: https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_config.html#cfg-... via hook_wysiwyg_editor_settings_alter()

    /**
    * Implements hook_wysiwyg_editor_settings_alter().
    */
    function hook_wysiwyg_editor_settings_alter(&$settings, $context): void {
    if ($context['profile']->editor == 'ckeditor') {
    $settings['iframe_attributes'] = [
    'sandbox' => 'allow-scripts allow-same-origin',
    'allow' => 'autoplay',
    ];
    }
    }

  • Comment over 1 year ago β†’
    πŸ‡¨πŸ‡¦Canada darkodev
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States anthonyroundtree

    I don't want to close this topic, however, I am not comfortable with moving forward with an update with this module if it approves 4.21. Frankly, without something addressing the issue, I would say that 4.21 is not recommended for use with WYSIWYG. This puts everything into a conundrum, of course, because it is a security patch. Any thoughts?

    Regarding #3, it goes into a discussion as to whether or not it's a good idea to allow allow-scripts and allow-same-origin at the same time. See, https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe, for more detail. The issue is,

    When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute β€” making it no more secure than not using the sandbox attribute at all.
    Sandboxing is useless if the attacker can display content outside a sandboxed iframe β€” such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage.
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States anthonyroundtree
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024