-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add html generation for photo type embed previews #1334
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, works as expected 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One moment, I have a possible concern here I'd like some time to explore.
XSS is fun:
This is one benefit of using React elements over concatenating strings, as it takes care of escaping attribute values. Also why In this case, we must not allow user values ( |
@aduth aha, I did try to find a service where that was a problem, but it looked like the embed API returned safe values. Thanks for finding one that didn't, will change things 😄 |
Ok, switched to JSX for the photo preview. I was under the impression that the embed API supplied clean values, but now I see it was actually cloudup sanitising things. |
One-off sanitization scares me a bit. I'm looking at |
Yes, we absolutely should be doing sandboxing, but it's difficult. On the initial version of this block, we agreed that we'd just inject the html into a div for now, so we could get the block working, and look at sandboxing once it was done. I do not like the current implementation of HtmlEmbed, but the amount of work needed to get sandboxed iframes working correctly is not a small amount. Calypso has a resizing iframe, but it does not work by itself, there is more code needed to correctly calculate the height of embedded content for previews, and that code needs to be looked at and brought over into the HtmlEmbed component. It's not simple :( I'm looking at it though. |
I opened #1348 to track the sandboxing issue. |
Got the ok from @mtias to merge this, as long as we're working on the sandboxing. |
No description provided.