Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2023-12-11 03:33:09

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,207
Website

Re: How much should we trust other authors?

Yes, a CSP sandbox directive is set, though it shouldn’t block styles (must be some other CSP rule).

After more careful look what was actually happening in my case is that –given that the webfonts are blocked– many small things did not render correctly (font-features not available in the fall back font).

And the reason the webfont blocking: no CORS Access-Control-Allow-Origin header set (although I still see the error after configuring it).

Other things that go wrong: embedded videos do not appear or appear partly.

Blocked script execution in https://player.vimeo.com/video/121745940?h=9c645a9aae' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

We could remove it for author’s own articles.

Dunno. Maybe? For the authors’s own articles, viewing the draft on the public side with all functionality enabled makes life comfortable when authoring.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#26 2023-12-11 04:18:03

kuopassa
Plugin Author
From: Porvoo, Finland
Registered: 2008-12-03
Posts: 238
Website

Re: How much should we trust other authors?

Here’s perhaps a solution, but a complicated one, that fixes blocked content caused by Content Security Policy (CSP) header:

Have a script run in the background that reads every published article contents, then extract external links from them, then remove query parameters etc. so that only the base domains are left, then put those domains in an array, remove duplicates, and create a CSP header that allows content from those domains. 😐

Offline

#27 2023-12-11 04:54:56

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,207
Website

Re: How much should we trust other authors?

Ref, the webfonts & CORS issue for articles in Draft mode:

Header set Access-Control-Allow-Origin *

But for some reason I don’t think that is a good idea for a Live server.

(it is not a big issue)


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#28 2023-12-11 09:15:32

etc
Developer
Registered: 2010-11-11
Posts: 5,210
Website GitHub

Re: How much should we trust other authors?

I actually think the article preview security could be left to site admins, since it happens on the public side now. They should secure their site anyway, by setting appropriate headers (via .htaccess or config.php or <txp:header /> or whatever).

Offline

#29 2023-12-15 21:37:06

etc
Developer
Registered: 2010-11-11
Posts: 5,210
Website GitHub

Re: How much should we trust other authors?

phiw13 wrote #336084:

Good to see you added the wrapper inside your shadow root (#txp-preview-wrapper).

Do we really need this wrapper, given that it wraps the whole preview content?

Offline

#30 2023-12-16 02:18:57

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,207
Website

Re: How much should we trust other authors?

etc wrote #336163:

Do we really need this wrapper, given that it wraps the whole preview content?

Do you mean <div id="txp-preview-wrapper" class="body"> ?

If you don’t need for your template construction, then I don’t thinks so.

When I first made the suggestion (adding the id) to the div I thought mainly about having a selector to fully isolate any styling given to the content, but everything is now sandboxed and loads it’s own style block, so for styling reason that selector is not needed.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#31 2023-12-17 08:30:12

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,635
GitHub Twitter

Re: How much should we trust other authors?

But shortcodes are treated as suspicious (TXP-4.9-dev with clean preview enabled)


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#32 2023-12-17 08:45:00

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,207
Website

Re: How much should we trust other authors?

Pat64 wrote #336171:

But shortcodes (…)

Any <txp: /> tag, actually.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#33 2023-12-17 11:36:42

etc
Developer
Registered: 2010-11-11
Posts: 5,210
Website GitHub

Re: How much should we trust other authors?

phiw13 wrote #336172:

Any <txp: /> tag, actually.

They are:

<img src="x" <txp::echo text="onerror='alert(1)'" /> />

What if echo shortcode just echoes text?

Offline

#34 2023-12-17 14:28:20

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,635
GitHub Twitter

Re: How much should we trust other authors?

Nope. all <txp:... /> tags!


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#35 2023-12-17 14:50:00

etc
Developer
Registered: 2010-11-11
Posts: 5,210
Website GitHub

Re: How much should we trust other authors?

Pat64 wrote #336175:

Nope. all <txp:... /> tags!

They are all potentially unsafe:

<txp:tag label='<script>alert("XSS")</script>' />
<!-- or -->
<txp::shortcode label='<script>alert("XSS")</script>' />

This will not be detected by DOMPurify, since txp is not xml.

Offline

#36 2023-12-18 00:30:26

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,207
Website

Re: How much should we trust other authors?

Pat64 wrote #336175:

Nope. all <txp:... /> tags!

Just fwiw

  1. Those did not display/parse with the previous incarnation of the Preview panel (TXP 4.8.8). No changes. No regression.
  2. All <txp: /> tags are handled correctly when viewing the (draft) article in the public side context1 –even when the “sanitize” checkbox is checked.

And I don’t really expect those to display in the Preview panel.

–^–

A maybe odd or confusing behaviour with the “sanitize” checkbox under the Save button.

  • Save article as draft,
  • Check the Sanitize box and view the article in the public side context,
  • Continue editing, Save your work.

That “sanitize” checkbox is immediately unchecked. But maybe my expectation is wrong.

–––

1 from the View link under the “Save” button


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

Board footer

Powered by FluxBB