[wp-trac] [WordPress Trac] #49173: Allow sanitized inline styles on oEmbed iframes

WordPress Trac noreply at wordpress.org
Mon Jan 13 17:09:44 UTC 2020 

#49173: Allow sanitized inline styles on oEmbed iframes
--------------------------+------------------------------
 Reporter:  westonruter   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Embeds        |     Version:  4.4
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+------------------------------

Comment (by westonruter):

 Replying to [comment:5 swissspidy]:
 > Is this related to https://github.com/WordPress/gutenberg/issues/13000 /
 the same issue?

 Yes, I think so.

 > I would be careful with whitelisting inline styles as it could lead to
 issues with other providers.

 I don't see the problem with allowing a sanitized `style` attribute to be
 passed through. The same styles are allowed by authors in post content. To
 me it seems oEmbed providers should be allowed to use the same styles that
 authors can.

 > Looking at the inline style from this embedded content - `border:none
 ;max-width:500px;min-width:300px;min-height:550px;width:100%` - I don't
 exactly see why it is absolutely necessary:
 >
 > * Borders can be disabled with `frameborder=0`
 > * The `width` and `height` attributes on the iframe are whitelisted,
 allowing the provider to define the dimensions that way
 > * Themes can support responsive embeds, removing the need to manually
 have something like `width:100%` for embed iframes

 The issue I think is that the oEmbed data is being provided generically
 independent of the platform. So the same HTML being sent from NY Times
 needs to work in both WordPress and any other consumer. I don't think
 WordPress can be too heavy-handed at restricting what markup is allowed,
 as long as the markup is safe (e.g. no scripts, restricted styles).

 > It would require some deliberate testing.

 Testing needed for sure.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49173#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list