Describe the bug
This is the exact same issue as this one: #2130, so I won't repeat the screenshots.
The video is displayed normally in admin panel when editing the participatory process description, but not displayed on the public page of the process.
To Reproduce
Steps to reproduce the behavior:
- Go to admin panel and edit the participatory process
- In description, in quill editor, add a video and provide the URL
- Save the participatory process
- Open the public page of the participatory process - video is not shown, only
<br> tag instead of <iframe ...> tag.
Expected behavior
Video displayed on both - admin page when editing and on public page.
Extra data (please complete the following information):
- Decidim Version:
release/0.27-stable
Additional context
Just for the info, this is the previous fix to the previous issue #2130
Investigations
It's using the Decidim::SanitizeHelper to sanitize the input content.
Specifically the participatory process view is using the decidim_sanitize_editor method, which internally uses the Decidim::UserInputScrubber that allows only "standard" tags.
On other side, now the decidim_sanitize_editor_admin is using the Decidim::AdminInputScrubber that is actually allows the iframe tag to be displayed
That being said, this PR introduces that issue by moving the iframe tag allowance to admin scrubber.
Question
What would be the proper fix?
Should Decidim::SanitizeHelper also whitelist the iframe tag or was there some decision to allow that exclusively in admin panel?
Participatory processes is just one of the many other places where quill editor is used.
Should the helper method be changed from decidim_sanitize_editor to decidim_sanitize_editor_admin (which would be a bit weird to have in public view I think)?
Thanks!
Describe the bug
This is the exact same issue as this one: #2130, so I won't repeat the screenshots.
The video is displayed normally in admin panel when editing the participatory process description, but not displayed on the public page of the process.
To Reproduce
Steps to reproduce the behavior:
<br>tag instead of<iframe ...>tag.Expected behavior
Video displayed on both - admin page when editing and on public page.
Extra data (please complete the following information):
release/0.27-stableAdditional context
Just for the info, this is the previous fix to the previous issue #2130
Investigations
It's using the
Decidim::SanitizeHelperto sanitize the input content.Specifically the participatory process view is using the
decidim_sanitize_editormethod, which internally uses theDecidim::UserInputScrubberthat allows only "standard" tags.On other side, now the
decidim_sanitize_editor_adminis using theDecidim::AdminInputScrubberthat is actually allows the iframe tag to be displayedThat being said, this PR introduces that issue by moving the
iframetag allowance to admin scrubber.Question
What would be the proper fix?
Should
Decidim::SanitizeHelperalso whitelist theiframetag or was there some decision to allow that exclusively in admin panel?Participatory processes is just one of the many other places where quill editor is used.
Should the helper method be changed from
decidim_sanitize_editortodecidim_sanitize_editor_admin(which would be a bit weird to have in public view I think)?Thanks!