Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC oembed sandboxing #673

Merged
merged 1 commit into from
Jan 14, 2025
Merged

DOC oembed sandboxing #673

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions en/02_Developer_Guides/03_Forms/Field_types/03_HTMLEditorField.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ SilverStripe\Core\Injector\Injector:
- proxy: '111.222.333.444:55'
```

## Limiting oembed URLs
### Limiting oembed URLs

HTMLEditorField can have whitelists set on both the scheme (default HTTP & HTTPS) and domains allowed when
inserting files for use with oembed.
Expand Down Expand Up @@ -335,7 +335,29 @@ of the above values.
By default live sites (see [environment types](/developer_guides/debugging/environment_types/)) will not attempt to resolve oembed urls that
point to localhost to protect your site from cross site request forgery.

### Doctypes
### Sandboxing oembed HTML

In order to prevent any malicious oembed providers from injecting XSS payloads into the current webpage, HTML content that is returned is sandboxed in an `iframe` tag.

With the [`EmbedShortcodeProvider.domains_excluded_from_sandboxing`](api:SilverStripe\View\Shortcodes\EmbedShortcodeProvider->domains_excluded_from_sandboxing) configuration property, you can explicitly declare domains which should be excluded from sandboxing if you find it is interfering with embeds from specific domains. For example if a YouTube embed was not rendering correctly as a result of the sandboxing you could use this YAML configuration:

```yml
SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
domains_excluded_from_sandboxing:
- 'youtube.com'
```

Do not include the protocol (i.e. don't include `https://` or `http://`).

You can also change the attributes of the iframe itself with the [`EmbedShortcodeProvider.sandboxed_iframe_attributes`](api:SilverStripe\View\Shortcodes\EmbedShortcodeProvider->sandboxed_iframe_attributes) configuration property:

```yml
SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
sandboxed_iframe_attributes:
allow: 'fullscreen'
```

## Doctypes

Since TinyMCE generates markup, it needs to know which doctype your documents will be rendered in. You can set this
through the [element_format](https://www.tiny.cloud/docs/tinymce/6/content-filtering/#element_format) configuration variable.
Expand Down
Loading