Welcome! » Log In » Create A New Profile

HTML.SafeIframe Option

Posted by bfroehle 
HTML.SafeIframe Option
February 13, 2011 09:43PM

I've attempted to extend HTMLPurifier to allow (some) iframes. Here's the commit message:

Add new HTML.SafeIframe and URI.IframeHostWhitelist options.

Many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format. This introduces two new settings:

  • HTML.SafeIframe / bool, default: FALSE

    Whether or not to display iframe content.

  • URI.IframeHostWhitelist / list, default: array()

    A list of whitelisted hosts for iframe content. Iframes are allowed only if the host explicitly matches an element of this array.

The code is available in the 'iframe' branch of http://repo.or.cz/w/htmlpurifier/bfroehle.git.

Re: HTML.SafeIframe Option
February 13, 2011 11:41PM
Re: HTML.SafeIframe Option
February 14, 2011 07:43AM

very good, is the host the only check that's done though? what if i use a host that is whitelisted but then add some javascript into the iframe that will break out the iframe and allow XSS

Re: HTML.SafeIframe Option
February 14, 2011 12:11PM

vaughan: No idea. I guess the whole thing with iframes is you have to explicitly trust the host on the other end to behave themselves.

Re: HTML.SafeIframe Option
February 14, 2011 12:46PM

no. what i meant was if someone on my site wants to posts something like (using youtube as src)

<iframe src="http://youtube.com" width="100%" height="300">
  <SCRIPT SRC=http://myxsslocation/xss.js></SCRIPT>
</iframe>

or

<iframe src="http://youtube.com" width="100%" height="300">
  <IMG SRC=javascript:alert('XSS')>
</iframe>

in those case the iframe src is a valid whitelisted source. but the content would allow me to post javascript etc to allow XSS. is it only validating on the iframe SRC or does it also check the validity of the rest of the content if the src is still valid.

Re: HTML.SafeIframe Option
February 14, 2011 01:22PM

Well the innards of the iframe will be purified like all the other content --- so for me those end up being purified as:

<p><iframe src="http://youtube.com" height="300">
  </iframe>
</p>

I guess the width=100% is getting filtered out --- I'm not sure how to allow that.

Re: HTML.SafeIframe Option
March 01, 2011 06:18PM

What is the best way to install this on the standalone version? Sorry a bit confused when comparing the file locations, etc. I went ahead and added the code but get this result in the error log:

[03-02-2011 01:01:23am] Cannot set undefined directive URI.IframeHostWhitelist to value [03-02-2011 01:01:23am] Cannot retrieve value of undefined directive HTML.SafeIframe [03-02-2011 01:01:24am] Cannot set undefined directive HTML.SafeIframe to value [03-02-2011 01:01:24am] Element 'iframe' is not supported (for information on implementing this, see the support forums)

Any clue?

Re: HTML.SafeIframe Option
March 15, 2011 01:24PM

This does not work if we set the AllowedElements and AllowedAttributes to null (to allow all HTML). We do this in an application admin area to allow the admin to use all HTML and only limit tags in the user accounts.

Re: HTML.SafeIframe Option
March 21, 2011 10:04PM

Sorry about the long lead time to patch review. I've been wondering whether or not we should just convert the new YouTube iframe code into the old-style embed code, or if we need more stringent matching against allowed iframe URLs (for example, the scheme as stand allows any YouTube page to be embedded; really, we only want the actual videos to be allowed.)

Another consideration is how to ensure that old users who enabled YouTube will find it still working, without having to set yet another configuration knob.

Re: HTML.SafeIframe Option
March 22, 2011 03:04PM

personally i'd say go with converting the iframe back to the object method. but i know many people who are going to complain at that because they can't use the object method on their iphones because of the lack of flash support unless they jailbreak the phone itself, and the iframe method allows them to view youtube on their iphones/ipads etc.

can't wait for HTML5 to be frank, then can do away with flash altogether. i hate flash as much (if not more) than Steve Jobs does. lol

Re: HTML.SafeIframe Option
March 22, 2011 07:42PM

I've decided to drop this from the agenda of 4.3.0; I was originally planning to fix this before I did the next release, but it seems clear that I don't know what I want to do here and we need to get a new release out (lots of bugfixes and features...)

Re: HTML.SafeIframe Option
March 22, 2011 08:13PM

I say iFrames are still allowed with the host idea but perhaps add a secondary feature to allow simple regex patterns to be applied to the hosts rather than just an allow list. This feature is turned off by default in htmlpurifier. So let us developers provide the necessary regex (or even provide examples in the documentation). That way we can just do a regex on the iframe src field and this would match the host and the exact URL used for videos, etc.

Re: HTML.SafeIframe Option
March 22, 2011 08:41PM

@atDev: So you are suggesting something like %URI.IframeWhitelistRegex ?

Re: HTML.SafeIframe Option
March 22, 2011 08:44PM

Yes something similar to that. I am mainly trying to think of a way to cover all of these embed/iframe codes we have to deal with on a more global scale rather than having htmlpurifier have to support each individual format on its own through a filter.

Re: HTML.SafeIframe Option
March 22, 2011 09:53PM

@atDev: Go checkout http://repo.or.cz/w/htmlpurifier/bfroehle.git/shortlog/refs/heads/iframe again.

I've implemented %URI.IframeWhitelistRegexp, which you could set to array('%%") if you wanted to match all URI's.

Re: HTML.SafeIframe Option
March 23, 2011 07:25AM

Ah, that is quite a good addition. We should put in a few recommended regex strings for the docs (for example, for YouTube and such).

Re: HTML.SafeIframe Option
March 23, 2011 10:58PM

Let me know the sites you get most requested and I'll send sample regexes for review if you need them.

Example youtube URL: http://www.youtube.com/embed/7-VhZ7P9m1M?rel=0

Does anyone know the format of the end part of the URL?

I assume youtube would be similar to: /^https?:\/\/www\.youtube\.com\/embed\/[^\?]+\?rel=0$/

Obviously if someone knows the format of the video ID part this can be made more strict

Re: HTML.SafeIframe Option
March 24, 2011 02:17PM

Well, AFAICT, YouTube is the only video site that uses iframes.

Re: HTML.SafeIframe Option
March 24, 2011 10:06PM

many are starting to use em now.

vimeo does for sure as default

<iframe src="http://player.vimeo.com/video/20559041" width="400" height="225" frameborder="0"></iframe><p><a href="http://vimeo.com/20559041">AUCAN - Heartless</a> from <a href="http://vimeo.com/user1342215">SHIROPPO STUDIO</a> on <a href="http://vimeo.com">Vimeo</a>.</p>
Re: HTML.SafeIframe Option
March 24, 2011 10:08PM

The regexs should be fairly basic...

Vimeo: /^https?:\/\/player\.vimeo\.com\/video\/[0-9]+$/

Re: HTML.SafeIframe Option
April 23, 2011 06:40PM

Hi. Today is my first time with htmlpurifier and I search a possibility to show youtube and another video-stream in iframes. So I found this topic here.

I have downloaded the "bfroehle" folder. :) Coming this extension in the official release too? Is this code the correct way? Btw I have change the regex for youtube a little.

require_once('/bfroehle/library/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.IframeWhitelistRegexp', array
(
'/^https?:\/\/www\.youtube\.com\/embed\/[a-zA-Z0-9]+$/',
'/^https?:\/\/player\.vimeo\.com\/video\/[0-9]+$/'
));
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($_POST['editor1']);

Thanks!

Re: HTML.SafeIframe Option
August 31, 2011 01:27PM

Hey, so I was trying to clone the git repo, and it timed out on me.

You have any other ways for me to access the latest code?

From my console:

reagand@reagand-desktop:~/dev/stuff$ git clone http://repo.or.cz/w/htmlpurifier/bfroehle.git
Cloning into bfroehle...
error: Failed connect to repo.or.cz:80; Connection timed out while accessing http://repo.or.cz/w/htmlpurifier/bfroehle.git/info/refs

fatal: HTTP request failed
Re: HTML.SafeIframe Option
September 01, 2011 06:26PM

Wrong URL, try http://repo.or.cz/r/htmlpurifier/bfroehle.git or git://repo.or.cz/htmlpurifier/bfroehle.git

Re: HTML.SafeIframe Option
September 02, 2011 11:40AM

Nope. Still timing out. I wonder if some hardware or something in between me and the git repo is failing...

david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone http://repo.or.cz/r/htmlpurifier/bfroehle.git
Cloning into bfroehle...
error: Failed connect to repo.or.cz:80; Connection timed out while accessing http://repo.or.cz/r/htmlpurifier/bfroehle.git/info/refs

fatal: HTTP request failed
david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone git://repo.or.cz/htmlpurifier/bfroehle.git
Cloning into bfroehle...
repo.or.cz[0: 195.113.20.142]: errno=Connection timed out
fatal: unable to connect a socket (Connection timed out)
david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone git://repo.or.cz/htmlpurifier/bfroehle.git
Cloning into bfroehle...
repo.or.cz[0: 195.113.20.142]: errno=Connection timed out
fatal: unable to connect a socket (Connection timed out)
Re: HTML.SafeIframe Option
September 02, 2011 12:33PM

Yeah, it works fine for me. Try a different machine?

MostHostLA
Re: HTML.SafeIframe Option
September 28, 2011 08:54AM

Hi there, Just wondering if this will actually get into the newest release...

Basically I'm trying to figure out if I should implement it right now to actually allow Iframes, or wait until you guys come up with an hopefully "final" solution.

Is a 'Final Solution' even planned for as of yet?

BTW, just my 2 cents...

I hate the fact that Youtube switched to Iframes in the first place (and I hate the fact that they are using illegal and non standard compliant tags [such as allowfullscreen] even more), but when looking at it through objective eyes Iframes are indeed the best way for a website that embeds stuff onto other pages to embed whatever they need to embed properly onto some other website. Additionally at this time, the reality is that Iframes are also sort of a "must" for XMLHttpRequest (read as Ajax I guess) file submission forms.

Personally, I think Iframes should STAY deprecated and that the XMLHttpRequest should be modified and fixed up to natively allow file submission similarly as to how regular HTML handles it, However the likelihood of that happening in a reasonable time it's to say the least Unrealistic.

I would therefore suggest for HtmlPurifier to enact full Iframes support, giving it's user methods to white-list the src as stated above, as well as removing or testing additional Iframe parameters to make the Iframe input actually Standards Compliant (and XSS free).

I think that it would Eventually be nice to just add the Iframe to the allowed html like so: $config->set('HTML.Allowed', 'iframe[src|width|height|boder]'); OR $config->set('HTML.AllowedAttributes', 'iframe.src,iframe.width,iframe.height,iframe.boder');

That's while having the config automatically take care of the common video/maps/trusted domains by simply allowing the iframes in question with the listed parameters, yet removing any other iframe(s).

The current way to list the domains already seems very practical to use, so I think the next logical step would be to just allow the tag by default without having to set $config->set('HTML.SafeIframe', true);

Again, that's just my 2 cents on the situation...

Re: HTML.SafeIframe Option
December 26, 2011 08:48AM

I've heavily revamped the patch and it'll be going in 4.3.1... or maybe 4.4.0 (sounds like we've got enough stuff in this release to give it a minor version bump)

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: