I think x00 means well when he warns people to not do it. His contribution is the experience he has acquired and knows what he is talking about . There are real reasons to worry and why this option is disabled in htmlawed.
If you really need it, you should make sure you trust the content's source. I would consider using permissions to control who can post iframe and who can't. You may need a plugin to do that.
@whu66@vrijvlinder I recognize that may have good intentions but how to communicate is not the best. If I am using the iframe is because I know the risks and I can use it on my forum which is a very closed community and not allow registration, you can enter only by invitation from administrators. What I disagree with is the question that can be given about the types of work or using certain things. I think everyone has their reasons for using certain tools and because knows the risks.
Sorry if I was too harsh with my words but that's what I think about this @x00
You are putting your users security to risk by allowing iframe embeds.
While the content is separated, I frames still have the ability to navigate to the top window, for example to redirect users to a malicious page.
What if someone embeds a page that serves drive-by downloads?
You could tighten the security by forcing the relatively new sandbox attribute for I frames, but that probably requires tweaking the HTMLawed settings.
Something like this should only be allowed selectively for a trusted group of users.
Comments
I think x00 means well when he warns people to not do it. His contribution is the experience he has acquired and knows what he is talking about . There are real reasons to worry and why this option is disabled in htmlawed.
If you really need it, you should make sure you trust the content's source. I would consider using permissions to control who can post iframe and who can't. You may need a plugin to do that.
Just be careful is what it boils down to.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
@JoZ3_69with respect the only situation that you should be enabling iframe like this, is on a private forum, with a handful of trusted members.
This not how you accept iframed youtube videos, period.
Obviously I have something to contribute, I am contributing right now.
Feel free to ignore my advice. It is there for others to take heed.
I think the point is people often don't really fully understand the risks.
grep is your friend.
@whu66 @vrijvlinder I recognize that may have good intentions but how to communicate is not the best. If I am using the iframe is because I know the risks and I can use it on my forum which is a very closed community and not allow registration, you can enter only by invitation from administrators. What I disagree with is the question that can be given about the types of work or using certain things. I think everyone has their reasons for using certain tools and because knows the risks.
Sorry if I was too harsh with my words but that's what I think about this @x00
Don't worry about it. I just want to make sure people re aware. People do copy thing like this. They aren't aware of your circumstances either.
grep is your friend.
You are putting your users security to risk by allowing iframe embeds.
While the content is separated, I frames still have the ability to navigate to the top window, for example to redirect users to a malicious page.
What if someone embeds a page that serves drive-by downloads?
You could tighten the security by forcing the relatively new sandbox attribute for I frames, but that probably requires tweaking the HTMLawed settings.
Something like this should only be allowed selectively for a trusted group of users.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS