iFrame is escaped in output and not working anymore

[rehoehle]

Since some versions there is a problem that iFrames are escaped in the output and the iframe is not visible. Before 10.4.18 i think it was working fine. Not the problem is that the youtube plugin for the RTE isn't working anymore.

Version is 10.4.21 (Composer latest version)

<p>&lt;iframe allowfullscreen frameborder="0" height="360"
  src="https://www.youtube.com/embed/fUEHlY8" width="640"&gt;&lt;/iframe&gt;</p>

So i have checked not a lot of tutorials and tested now over 2 hours all solutions.

In the Site TS-Config i have tested a low of things.

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

But nothing is working anymore. Is there a solution or a fix to solve the Problem? Do i miss something?

[ohader]

Currently there is no generic solution (yet) in typo3/html-sanitizer for this aspect - however the topic has been briefly discussed at

• https://forge.typo3.org/issues/94917
• https://gist.github.com/ohader/2239dab247e18d23e677fd1b816f4fd5

---

TypoScript configuration as shown above does not have any impact on typo3/html-sanitizer - that's on purpose:

RTE.default.proc {
  allowTags := addToList(object,param,embed,iframe)
  allowTagsOutside := addToList(object,embed,iframe)
  entryHTMLparser_db.allowTags < .allowTags
}

Without explicitly defining allowed attributes for all(!) tags, the shown TypoScript configuration allows cross-site scripting - and that's exactly the reason typo3/html-sanitizer is more strict in this regard. The following proof-of-concept code demonstrates what is possible with those TypoScript settings from above:

<iframe src="javascript:alert('iframe-src')"></iframe>
<object data="null" type="text/invalid" onerror="alert('object-err')"></object>
<embed src="null" type="text/invalid" onload="alert('embed-err')" height="100" widht="100">

[ohader]

Some additional research, this is for instance how mailtrap.io is embedding arbitrary mails in an <iframe>:

<iframe src="..." title="Message view" class="i6jjn6"
  sandbox="allow-popups-to-escape-sandbox allow-forms allow-pointer-lock allow-popups allow-presentation allow-orientation-lock allow-modals allow-same-origin"><p>Your browser does not support iframes.</p></iframe>

[ohader]

I've added a section on <iframe> to the tests, using new feature Attr::MANDATORY, which requires an attribute to be given and having specified values:

https://github.com/TYPO3/html-sanitizer/blob/main/tests/ScenarioTest.php#L162-L212

$behavior = (new Behavior())
    ->withFlags(Behavior::ENCODE_INVALID_TAG + Behavior::REMOVE_UNEXPECTED_CHILDREN)
    ->withName('scenario-test')
    ->withTags(
        (new Behavior\Tag('iframe'))->addAttrs(
            (new Behavior\Attr('id')),
            // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allow
            (new Behavior\Attr('allow'))->withValues(
                new Behavior\MultiTokenAttrValue(' ', 'fullscreen')
            ),
            // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
            (new Behavior\Attr('sandbox', Behavior\Attr::MANDATORY))->withValues(
                new Behavior\EmptyAttrValue(),
                new Behavior\MultiTokenAttrValue(
                    ' ',
                    'allow-downloads',
                    'allow-modals',
                    'allow-orientation-lock',
                    'allow-pointer-lock',
                    'allow-popups',
                    'allow-scripts'
                )
            ),
            (new Behavior\Attr('src'))->withValues(
                ...(new UriAttrValueBuilder())->allowSchemes('http', 'https')->getValues()
            )
        )
    );

[ohader]

I've extracted this to a stand-alone preset in PR #93