HTML.SafeIframe Option

I've attempted to extend HTMLPurifier to allow (some) iframes. Here's the commit message:

Add new HTML.SafeIframe and URI.IframeHostWhitelist options.

Many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format. This introduces two new settings:

• HTML.SafeIframe / bool, default: FALSE

  Whether or not to display iframe content.

• URI.IframeHostWhitelist / list, default: array()

  A list of whitelisted hosts for iframe content. Iframes are allowed only if the host explicitly matches an element of this array.

The code is available in the 'iframe' branch of http://repo.or.cz/w/htmlpurifier/bfroehle.git.

Here is a direct link to the branch http://repo.or.cz/w/htmlpurifier/bfroehle.git/shortlog/refs/heads/iframe

very good, is the host the only check that's done though? what if i use a host that is whitelisted but then add some javascript into the iframe that will break out the iframe and allow XSS

vaughan: No idea. I guess the whole thing with iframes is you have to explicitly trust the host on the other end to behave themselves.

no. what i meant was if someone on my site wants to posts something like (using youtube as src)

<iframe src="http://youtube.com" width="100%" height="300">
  <SCRIPT SRC=http://myxsslocation/xss.js></SCRIPT>
</iframe>

or

<iframe src="http://youtube.com" width="100%" height="300">
  <IMG SRC=javascript:alert('XSS')>
</iframe>

in those case the iframe src is a valid whitelisted source. but the content would allow me to post javascript etc to allow XSS. is it only validating on the iframe SRC or does it also check the validity of the rest of the content if the src is still valid.

Well the innards of the iframe will be purified like all the other content --- so for me those end up being purified as:

<p><iframe src="http://youtube.com" height="300">
  </iframe>
</p>

I guess the width=100% is getting filtered out --- I'm not sure how to allow that.

What is the best way to install this on the standalone version? Sorry a bit confused when comparing the file locations, etc. I went ahead and added the code but get this result in the error log:

[03-02-2011 01:01:23am] Cannot set undefined directive URI.IframeHostWhitelist to value [03-02-2011 01:01:23am] Cannot retrieve value of undefined directive HTML.SafeIframe [03-02-2011 01:01:24am] Cannot set undefined directive HTML.SafeIframe to value [03-02-2011 01:01:24am] Element 'iframe' is not supported (for information on implementing this, see the support forums)

Any clue?

This does not work if we set the AllowedElements and AllowedAttributes to null (to allow all HTML). We do this in an application admin area to allow the admin to use all HTML and only limit tags in the user accounts.

Sorry about the long lead time to patch review. I've been wondering whether or not we should just convert the new YouTube iframe code into the old-style embed code, or if we need more stringent matching against allowed iframe URLs (for example, the scheme as stand allows any YouTube page to be embedded; really, we only want the actual videos to be allowed.)

Another consideration is how to ensure that old users who enabled YouTube will find it still working, without having to set yet another configuration knob.

personally i'd say go with converting the iframe back to the object method. but i know many people who are going to complain at that because they can't use the object method on their iphones because of the lack of flash support unless they jailbreak the phone itself, and the iframe method allows them to view youtube on their iphones/ipads etc.

can't wait for HTML5 to be frank, then can do away with flash altogether. i hate flash as much (if not more) than Steve Jobs does. lol

I've decided to drop this from the agenda of 4.3.0; I was originally planning to fix this before I did the next release, but it seems clear that I don't know what I want to do here and we need to get a new release out (lots of bugfixes and features...)

I say iFrames are still allowed with the host idea but perhaps add a secondary feature to allow simple regex patterns to be applied to the hosts rather than just an allow list. This feature is turned off by default in htmlpurifier. So let us developers provide the necessary regex (or even provide examples in the documentation). That way we can just do a regex on the iframe src field and this would match the host and the exact URL used for videos, etc.

@atDev: So you are suggesting something like %URI.IframeWhitelistRegex ?

Yes something similar to that. I am mainly trying to think of a way to cover all of these embed/iframe codes we have to deal with on a more global scale rather than having htmlpurifier have to support each individual format on its own through a filter.

@atDev: Go checkout http://repo.or.cz/w/htmlpurifier/bfroehle.git/shortlog/refs/heads/iframe again.

I've implemented %URI.IframeWhitelistRegexp, which you could set to array('%%") if you wanted to match all URI's.

Ah, that is quite a good addition. We should put in a few recommended regex strings for the docs (for example, for YouTube and such).

Let me know the sites you get most requested and I'll send sample regexes for review if you need them.

Example youtube URL: http://www.youtube.com/embed/7-VhZ7P9m1M?rel=0

Does anyone know the format of the end part of the URL?

I assume youtube would be similar to: /^https?:\/\/www\.youtube\.com\/embed\/[^\?]+\?rel=0$/

Obviously if someone knows the format of the video ID part this can be made more strict

Well, AFAICT, YouTube is the only video site that uses iframes.

many are starting to use em now.

vimeo does for sure as default

<iframe src="http://player.vimeo.com/video/20559041" width="400" height="225" frameborder="0"></iframe><p><a href="http://vimeo.com/20559041">AUCAN - Heartless</a> from <a href="http://vimeo.com/user1342215">SHIROPPO STUDIO</a> on <a href="http://vimeo.com">Vimeo</a>.</p>

The regexs should be fairly basic...

Vimeo: /^https?:\/\/player\.vimeo\.com\/video\/[0-9]+$/

Hi. Today is my first time with htmlpurifier and I search a possibility to show youtube and another video-stream in iframes. So I found this topic here.

I have downloaded the "bfroehle" folder. :) Coming this extension in the official release too? Is this code the correct way? Btw I have change the regex for youtube a little.

require_once('/bfroehle/library/HTMLPurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.IframeWhitelistRegexp', array
(
'/^https?:\/\/www\.youtube\.com\/embed\/[a-zA-Z0-9]+$/',
'/^https?:\/\/player\.vimeo\.com\/video\/[0-9]+$/'
));
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($_POST['editor1']);

Thanks!

Hey, so I was trying to clone the git repo, and it timed out on me.

You have any other ways for me to access the latest code?

From my console:

reagand@reagand-desktop:~/dev/stuff$ git clone http://repo.or.cz/w/htmlpurifier/bfroehle.git
Cloning into bfroehle...
error: Failed connect to repo.or.cz:80; Connection timed out while accessing http://repo.or.cz/w/htmlpurifier/bfroehle.git/info/refs

fatal: HTTP request failed

Wrong URL, try http://repo.or.cz/r/htmlpurifier/bfroehle.git or git://repo.or.cz/htmlpurifier/bfroehle.git

Nope. Still timing out. I wonder if some hardware or something in between me and the git repo is failing...

david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone http://repo.or.cz/r/htmlpurifier/bfroehle.git
Cloning into bfroehle...
error: Failed connect to repo.or.cz:80; Connection timed out while accessing http://repo.or.cz/r/htmlpurifier/bfroehle.git/info/refs

fatal: HTTP request failed
david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone git://repo.or.cz/htmlpurifier/bfroehle.git
Cloning into bfroehle...
repo.or.cz[0: 195.113.20.142]: errno=Connection timed out
fatal: unable to connect a socket (Connection timed out)
david@selenium:~/dev/drupal/testbed/sites/all/libraries$ git clone git://repo.or.cz/htmlpurifier/bfroehle.git
Cloning into bfroehle...
repo.or.cz[0: 195.113.20.142]: errno=Connection timed out
fatal: unable to connect a socket (Connection timed out)

Yeah, it works fine for me. Try a different machine?

Hi there, Just wondering if this will actually get into the newest release...

Basically I'm trying to figure out if I should implement it right now to actually allow Iframes, or wait until you guys come up with an hopefully "final" solution.

Is a 'Final Solution' even planned for as of yet?

BTW, just my 2 cents...

I hate the fact that Youtube switched to Iframes in the first place (and I hate the fact that they are using illegal and non standard compliant tags [such as allowfullscreen] even more), but when looking at it through objective eyes Iframes are indeed the best way for a website that embeds stuff onto other pages to embed whatever they need to embed properly onto some other website. Additionally at this time, the reality is that Iframes are also sort of a "must" for XMLHttpRequest (read as Ajax I guess) file submission forms.

Personally, I think Iframes should STAY deprecated and that the XMLHttpRequest should be modified and fixed up to natively allow file submission similarly as to how regular HTML handles it, However the likelihood of that happening in a reasonable time it's to say the least Unrealistic.

I would therefore suggest for HtmlPurifier to enact full Iframes support, giving it's user methods to white-list the src as stated above, as well as removing or testing additional Iframe parameters to make the Iframe input actually Standards Compliant (and XSS free).

I think that it would Eventually be nice to just add the Iframe to the allowed html like so: $config->set('HTML.Allowed', 'iframe[src|width|height|boder]'); OR $config->set('HTML.AllowedAttributes', 'iframe.src,iframe.width,iframe.height,iframe.boder');

That's while having the config automatically take care of the common video/maps/trusted domains by simply allowing the iframes in question with the listed parameters, yet removing any other iframe(s).

The current way to list the domains already seems very practical to use, so I think the next logical step would be to just allow the tag by default without having to set $config->set('HTML.SafeIframe', true);

Again, that's just my 2 cents on the situation...

I've heavily revamped the patch and it'll be going in 4.3.1... or maybe 4.4.0 (sounds like we've got enough stuff in this release to give it a minor version bump)