Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The audio of an embedded video can be made to auto-play outside of the post #650

Closed
Kradyz opened this issue May 17, 2022 · 9 comments
Closed

The audio of an embedded video can be made to auto-play outside of the post #650

Kradyz opened this issue May 17, 2022 · 9 comments
Labels
bug Something isn't working

Comments

@Kradyz
Copy link
Contributor

Kradyz commented May 17, 2022
edited
Loading

Found a bug? Please fill out the sections below. 👍

Issue Summary

A summary of the bug.

If you are on a page which contains the link to a post, and that post contains a video embedded using iframe, the audio of the video will be heard (if you access via a URL externally, then the auto play will occur as soon as an action is taken on that page, for example, changing from "All" to "Local", or from "New" to "Hot".) This autoplay occurs even if the browser is set to block autoplay.

Steps to Reproduce

Create a post and embed a video beginning with a block such as the following:

<div style='position:relative; padding-bottom:calc(50%)'><iframe src='https://radiz.nl/dancingbug.mp4' frameborder='0' scrolling='no' width='100%' height='100%' style='position:absolute;top:0;left:0;' allowfullscreen></iframe></div>

Then, go to the sub-lemmy that contains that post. If the audio does not autoplay, change the "Sort type".

You can access an example by going to:

https://mander.xyz/c/test

Then change the "Sort type" to something else.

EDIT: I have noticed the following. If the post has a first sentence, then a space, and after this the embedding block, then the autoplay will not happen. For example:

a

<div style='position:relative; padding-bottom:calc(50%)'><iframe src='https://radiz.nl/dancingbug.mp4' frameborder='0' scrolling='no' width='100%' height='100%' style='position:absolute;top:0;left:0;' allowfullscreen></iframe></div>

Won't autoplay. Maybe this provides another clue about what is going on.

Technical details

I have tested this in Firefox both for arch linux and an android phone.
@Kradyz Kradyz added the bug Something isn't working label May 17, 2022
@Nutomic
Copy link
Member

Nutomic commented May 18, 2022

I think the best solution for this problem might be to add a check so that iframe tags are not allowed in user submitted text.

@dessalines
Copy link
Member

I'd rather just turn off allowing html in the markdown parser. It was always a potential security problem.

@Nutomic
Copy link
Member

Nutomic commented May 20, 2022

Some html is harmless (like tables). Maybe it could use a whitelist for safe html tags? If not, disabling html completely is probably best.

@dessalines
Copy link
Member

Markdown-it really suggests you just turn it off. https://github.com/markdown-it/markdown-it/blob/master/docs/security.md

We've seen a few exploits using it so far, and html also isn't likely going to work on any other clients anyway.

dessalines added a commit that referenced this issue May 22, 2022
@dessalines
Turn off html in markdown. Fixes #650
bfcae65
Nutomic pushed a commit that referenced this issue May 24, 2022
@dessalines @Nutomic
Turn off html in markdown. Fixes #650
d1a3a2f
dessalines added a commit that referenced this issue May 24, 2022
@dessalines
Turn off html in markdown. Fixes #650
a1cc7f3
@ShashiTharoor
Copy link

where you deployed your website?

@ShashiTharoor
Copy link

Found a bug? Please fill out the sections below. 👍

Issue Summary

A summary of the bug.

If you are on a page which contains the link to a post, and that post contains a video embedded using iframe, the audio of the video will be heard (if you access via a URL externally, then the auto play will occur as soon as an action is taken on that page, for example, changing from "All" to "Local", or from "New" to "Hot".) This autoplay occurs even if the browser is set to block autoplay.

Steps to Reproduce

Create a post and embed a video beginning with a block such as the following:

<div style='position:relative; padding-bottom:calc(50%)'><iframe src='https://radiz.nl/dancingbug.mp4' frameborder='0' scrolling='no' width='100%' height='100%' style='position:absolute;top:0;left:0;' allowfullscreen></iframe></div>

Then, go to the sub-lemmy that contains that post. If the audio does not autoplay, change the "Sort type".

You can access an example by going to:

https://mander.xyz/c/test

Then change the "Sort type" to something else.

EDIT: I have noticed the following. If the post has a first sentence, then a space, and after this the embedding block, then the autoplay will not happen. For example:

a

<div style='position:relative; padding-bottom:calc(50%)'><iframe src='https://radiz.nl/dancingbug.mp4' frameborder='0' scrolling='no' width='100%' height='100%' style='position:absolute;top:0;left:0;' allowfullscreen></iframe></div>

Won't autoplay. Maybe this provides another clue about what is going on.

Technical details

I have tested this in Firefox both for arch linux and an android phone.

Hey Can You please tell me where you are hosting your website and what is its cost?

@jakariyaa
Copy link

How can one add/upload video in the post like picture now that html is disabled?

@Nutomic
Copy link
Member

Nutomic commented Jun 2, 2022
edited
Loading

@Xeunyx-Cypher Post a link to youtube, peertube etc. Embeds for those will be supported in 0.17.

@jakariyaa
Copy link

@Nutomic
I hope you guys bring the embed feature very soon. (Or a feature to upload videos similar to what we have for pictures currently)

@Nutomic Nutomic mentioned this issue Jun 2, 2022
Open
@CosteaPaul CosteaPaul mentioned this issue Aug 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dessalines @Nutomic @jakariyaa @Kradyz @ShashiTharoor