Report a Bug
#BugReportDecidim Let's test Decidim and report bugs together
Accepted
When I use an embed url I hope the video will be displayed in the description of the debate. In this case, it only appears on the card.
We should use a reflector in decidim_sanitize instead of simple_format.
This proposal has been accepted because:
This incidence has been solved. Closed via #4850.
Thank you for contributing!
Related images
Report inappropriate content
Is this content inappropriate?
7 comments
Conversation with Isaac Massot
@mrcasals @andres @josepjaume We should discuss this. I think it is important to use 'decidim_sanitize'everywhere insted of 'simple_format'
beware! `decidim_sanitize` does not replace `simple_format` one should be applied after the other. Probable best order will be `decidim_sanitize(simple_format(text))`. Event better will be to create a new `Decidim::SanitizeHelper#sanitized_simple_format` method that applies both.
Conversation with Oriol
I don't think this is actually a bug (and especially not related to 0.16 since it's been working like this for many months), in any case, it would be an enhancement.
The problem I'm seeing is allowing inserting any kind of iframe in the description of a debate (or other parts), this could potentially lead to spam or even malicious uses.
I'd actually remove embedding an iframe inside the card.
It is a bug from the moment the user is allowed to insert a video iframe and is not rendered in the public part. Otherwise, it would not make sense for the user to do this.
On the other hand, to avoid spam or malicious uses, the video iframe could be restricted to the administrator and not to the participants.
The problem is allowing to add any iframe content, I’m against that and I think we should remove it.
Also, even in the case that we allowed videos I wouldn’t show them in the card.
And if we only allow admins to do it, this would be (to me) a new feature, since initially you couldn’t embed an iframe, and this bug is a side effect of allowing it.
Exact. For me, it is a bug that is not currently displayed on the public side, since both delete iframe content or allow admins is a new functionality.
I'll update how debates are rendered for consistency but I think we should revisit the fact that iframes can be shown at cards and that you can embed any type of content.
Add your comment
Sign in with your account or sign up to add your comment.
Loading comments ...