Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

skip empty srcs for safe iframe srcs #3216

Merged
merged 2 commits into from
Mar 12, 2021

Conversation

peterbe
Copy link
Contributor

@peterbe peterbe commented Mar 12, 2021

Fixes #3215

It looks like this now:

Screen Shot 2021-03-12 at 10 43 39 AM

Contrast that with: https://github.com/mdn/content/pull/3064/checks?check_run_id=2095600358

@peterbe
Copy link
Contributor Author

peterbe commented Mar 12, 2021

To test this, run:

export BUILD_LIVE_SAMPLES_BASE_URL=
BUILD_FLAW_LEVELS="unsafe_html: error, *:ignore"

and then:

yarn build [specificfiles ...]

build/flaws.js Outdated

$("script, embed, object, iframe").each((i, element) => {
const { tagName } = element;
if (tagName === "iframe") {
// For iframes we only check the 'src' value
const src = $(element).attr("src");
if (src.startsWith("/") && !src.includes("://")) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also check for !src.startsWith("//") as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right!

Copy link
Contributor

@escattone escattone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @peterbe!

@escattone escattone merged commit 18ef258 into mdn:main Mar 12, 2021
@peterbe peterbe deleted the 3215-skip-empty-srcs-for-safe-iframe-srcs branch March 12, 2021 21:06
wbamberg pushed a commit to wbamberg/yari that referenced this pull request Mar 15, 2021
* upstream/main: (164 commits)
  skip empty srcs for safe iframe srcs (mdn#3216)
  correct code comment (mdn#3223)
  build(deps): bump ahmadnassri/action-dependabot-auto-merge (mdn#3197)
  build(deps-dev): bump @types/react-dom from 17.0.1 to 17.0.2 (mdn#3164)
  create a whatsdeployed.json for translated-content too (mdn#3221)
  avoid double-slash redirects (mdn#3222)
  build(deps): bump image-size from 0.9.4 to 0.9.5 (mdn#3214)
  build(deps): bump boto3 from 1.17.22 to 1.17.26 in /deployer (mdn#3212)
  Fix our auto-merge workflow (mdn#3218)
  build(deps-dev): bump ts-loader from 8.0.17 to 8.0.18 (mdn#3208)
  disable lighthouse PR check unless relevant changes (mdn#3203)
  hide toolbar for frozen locales (mdn#3213)
  build(deps): bump is-svg from 4.2.1 to 4.2.2 (mdn#3209)
  build(deps): bump @mdn/browser-compat-data from 3.1.3 to 3.2.0 (mdn#3210)
  downloading external images for translated-content (mdn#3207)
  add active locales (mdn#3201)
  add tool command for rendering/removing macros (mdn#2955)
  unsafe html should be a breaking flaw (mdn#3192)
  open editor for translated content (mdn#3196)
  add fundamental redirects for /en-US/Security/CSP (mdn#3200)
  ...
peterbe added a commit to peterbe/yari that referenced this pull request Jun 1, 2021
* skip empty srcs for safe iframe srcs

Fixes mdn#3215

* feedbacked
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

unsafe_html fails on all iframes if BUILD_LIVE_SAMPLES_BASE_URL is empty
2 participants