Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: How much should we trust other authors?
Yes, a CSP sandbox directive is set, though it shouldn’t block styles (must be some other CSP rule).
After more careful look what was actually happening in my case is that –given that the webfonts are blocked– many small things did not render correctly (font-features not available in the fall back font).
And the reason the webfont blocking: no CORS Access-Control-Allow-Origin
header set (although I still see the error after configuring it).
Other things that go wrong: embedded videos do not appear or appear partly.
Blocked script execution in https://player.vimeo.com/video/121745940?h=9c645a9aae' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
We could remove it for author’s own articles.
Dunno. Maybe? For the authors’s own articles, viewing the draft on the public side with all functionality enabled makes life comfortable when authoring.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: How much should we trust other authors?
Here’s perhaps a solution, but a complicated one, that fixes blocked content caused by Content Security Policy (CSP) header:
Have a script run in the background that reads every published article contents, then extract external links from them, then remove query parameters etc. so that only the base domains are left, then put those domains in an array, remove duplicates, and create a CSP header that allows content from those domains. 😐
Offline
Re: How much should we trust other authors?
Ref, the webfonts & CORS issue for articles in Draft mode:
Header set Access-Control-Allow-Origin *
But for some reason I don’t think that is a good idea for a Live server.
(it is not a big issue)
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: How much should we trust other authors?
I actually think the article preview security could be left to site admins, since it happens on the public side now. They should secure their site anyway, by setting appropriate headers (via .htaccess
or config.php
or <txp:header />
or whatever).
Offline
Offline
Re: How much should we trust other authors?
etc wrote #336163:
Do we really need this wrapper, given that it wraps the whole preview content?
Do you mean <div id="txp-preview-wrapper" class="body">
?
If you don’t need for your template construction, then I don’t thinks so.
When I first made the suggestion (adding the id
) to the div
I thought mainly about having a selector to fully isolate any styling given to the content, but everything is now sandboxed and loads it’s own style block, so for styling reason that selector is not needed.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: How much should we trust other authors?
But shortcodes are treated as suspicious (TXP-4.9-dev with clean preview enabled)
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: How much should we trust other authors?
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Offline
Re: How much should we trust other authors?
Nope. all <txp:... />
tags!
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: How much should we trust other authors?
Pat64 wrote #336175:
Nope. all
<txp:... />
tags!
They are all potentially unsafe:
<txp:tag label='<script>alert("XSS")</script>' />
<!-- or -->
<txp::shortcode label='<script>alert("XSS")</script>' />
This will not be detected by DOMPurify, since txp is not xml.
Offline
Re: How much should we trust other authors?
Pat64 wrote #336175:
Nope. all
<txp:... />
tags!
Just fwiw
- Those did not display/parse with the previous incarnation of the Preview panel (TXP 4.8.8). No changes. No regression.
- All
<txp: />
tags are handled correctly when viewing the (draft) article in the public side context1 –even when the “sanitize” checkbox is checked.
And I don’t really expect those to display in the Preview panel.
–^–
A maybe odd or confusing behaviour with the “sanitize” checkbox under the Save button.
- Save article as draft,
- Check the Sanitize box and view the article in the public side context,
- Continue editing, Save your work.
That “sanitize” checkbox is immediately unchecked. But maybe my expectation is wrong.
–––
1 from the View link under the “Save” button
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline