How much should we trust other authors?

phiw13 · 2023-12-11 03:33:09

Yes, a CSP sandbox directive is set, though it shouldn’t block styles (must be some other CSP rule).

After more careful look what was actually happening in my case is that –given that the webfonts are blocked– many small things did not render correctly (font-features not available in the fall back font).

And the reason the webfont blocking: no CORS Access-Control-Allow-Origin header set (although I still see the error after configuring it).

Other things that go wrong: embedded videos do not appear or appear partly.

Blocked script execution in https://player.vimeo.com/video/121745940?h=9c645a9aae' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

We could remove it for author’s own articles.

Dunno. Maybe? For the authors’s own articles, viewing the draft on the public side with all functionality enabled makes life comfortable when authoring.

kuopassa · 2023-12-11 04:18:03

Here’s perhaps a solution, but a complicated one, that fixes blocked content caused by Content Security Policy (CSP) header:

Have a script run in the background that reads every published article contents, then extract external links from them, then remove query parameters etc. so that only the base domains are left, then put those domains in an array, remove duplicates, and create a CSP header that allows content from those domains. 😐

phiw13 · 2023-12-11 04:54:56

Ref, the webfonts & CORS issue for articles in Draft mode:

Header set Access-Control-Allow-Origin *

But for some reason I don’t think that is a good idea for a Live server.

(it is not a big issue)

etc · 2023-12-11 09:15:32

I actually think the article preview security could be left to site admins, since it happens on the public side now. They should secure their site anyway, by setting appropriate headers (via .htaccess or config.php or <txp:header /> or whatever).

etc · 2023-12-15 21:37:06

phiw13 wrote #336084:

Good to see you added the wrapper inside your shadow root (#txp-preview-wrapper).

Do we really need this wrapper, given that it wraps the whole preview content?

phiw13 · 2023-12-16 02:18:57

etc wrote #336163:

Do we really need this wrapper, given that it wraps the whole preview content?

Do you mean <div id="txp-preview-wrapper" class="body"> ?

If you don’t need for your template construction, then I don’t thinks so.

When I first made the suggestion (adding the id) to the div I thought mainly about having a selector to fully isolate any styling given to the content, but everything is now sandboxed and loads it’s own style block, so for styling reason that selector is not needed.

Pat64 · 2023-12-17 08:30:12

But shortcodes are treated as suspicious (TXP-4.9-dev with clean preview enabled)

phiw13 · 2023-12-17 08:45:00

Pat64 wrote #336171:

But shortcodes (…)

Any <txp: /> tag, actually.

etc · 2023-12-17 11:36:42

phiw13 wrote #336172:

Any <txp: /> tag, actually.

They are:

<img src="x" <txp::echo text="onerror='alert(1)'" /> />

What if echo shortcode just echoes text?

Pat64 · 2023-12-17 14:28:20

Nope. all <txp:... /> tags!

etc · 2023-12-17 14:50:00

Pat64 wrote #336175:

Nope. all <txp:... /> tags!

They are all potentially unsafe:

<txp:tag label='<script>alert("XSS")</script>' />
<!-- or -->
<txp::shortcode label='<script>alert("XSS")</script>' />

This will not be detected by DOMPurify, since txp is not xml.

phiw13 · 2023-12-18 00:30:26

Pat64 wrote #336175:

Nope. all <txp:... /> tags!

Just fwiw

Those did not display/parse with the previous incarnation of the Preview panel (TXP 4.8.8). No changes. No regression.
All <txp: /> tags are handled correctly when viewing the (draft) article in the public side context¹ –even when the “sanitize” checkbox is checked.

And I don’t really expect those to display in the Preview panel.

–^–

A maybe odd or confusing behaviour with the “sanitize” checkbox under the Save button.

Save article as draft,
Check the Sanitize box and view the article in the public side context,
Continue editing, Save your work.

That “sanitize” checkbox is immediately unchecked. But maybe my expectation is wrong.

–––

¹ from the View link under the “Save” button

Textpattern CMS

Textpattern CMS support forum

#25 2023-12-11 03:33:09

Re: How much should we trust other authors?

#26 2023-12-11 04:18:03

Re: How much should we trust other authors?

#27 2023-12-11 04:54:56

Re: How much should we trust other authors?

#28 2023-12-11 09:15:32

Re: How much should we trust other authors?

#29 2023-12-15 21:37:06

Re: How much should we trust other authors?

phiw13 wrote #336084:

#30 2023-12-16 02:18:57

Re: How much should we trust other authors?

etc wrote #336163:

#31 2023-12-17 08:30:12

Re: How much should we trust other authors?

#32 2023-12-17 08:45:00

Re: How much should we trust other authors?

Pat64 wrote #336171:

#33 2023-12-17 11:36:42

Re: How much should we trust other authors?

phiw13 wrote #336172:

#34 2023-12-17 14:28:20

Re: How much should we trust other authors?

#35 2023-12-17 14:50:00

Re: How much should we trust other authors?

Pat64 wrote #336175:

#36 2023-12-18 00:30:26

Re: How much should we trust other authors?

Pat64 wrote #336175:

Board footer