I posted this on Slack but I think it should be here.
I may not sound professional but I think this may be a problem. Let's say someone wanna play you and they got access to your computer, open boostnote and insert this into the currently openning note.
<iframe src="http://hackersite.com/attackfile.php" width=100% height=0></iframe>
From then on, Boostnote will be useless unless you go into the cson file and try to delete that line. I can even use some more malicious link to put into the iframe, instead of this non-existent link.
What do you guys think about this ?
luong-komorebi
All 3 comments
This is actually exactly the feature I am looking for! I never tried putting the iframe HTML into a Boostnote until now but just 2 days ago posted a feature request for Iframew website support which i'm sure you saw the post here https://github.com/BoostIO/Boostnote/issues/361
As Boostnote is on your own PC/Mac I would think it would be the users responsibility for locking there computer access down and this feature should remain working as I don't agree with it being a security issue .
If there was an online web version, then obviously I would agree in that case. (not trying to sound rude or anything =)
As far as using this as a bonus feature as I hope to do, I suggest to just make sure that if your note only has the iframe and nothing else that you do not make it 100% width and height as this would make it hard to go into edit mode if you use the right click toggle mode option. Simply adding other content with the iframe HTML to create a space in the page where the right click toggle in Boostnote will remain working or else sizing the frame as mentioned to not consume the whole window will make it so you don't have to edit any CSON files.
Demo with BoostNote Website Embeded as Iframe
Multiple Iframe Tabs
Tab/file 3 even has a CodePen.io Editor Embeded
jasondavis
on 28 Mar 2017
which i'm sure you saw the post here #361
Haha No, I didn't see it. But it is a nice idea. Let the developers discuss more and have some time.
luong-komorebi
on 29 Mar 2017
We currently have a "allow dangerous HTML tags" setting. Is this sufficient to combat this behavior?
Flexo013
on 24 Jul 2019
Related issues
NourEldin275
路
3Comments
N2ITN
路
3Comments
Petroochio
路
3Comments
louiealmeda
路
3Comments
croulibri
路
3Comments
Most helpful comment
This is actually exactly the feature I am looking for! I never tried putting the iframe HTML into a Boostnote until now but just 2 days ago posted a feature request for Iframew website support which i'm sure you saw the post here https://github.com/BoostIO/Boostnote/issues/361
As Boostnote is on your own PC/Mac I would think it would be the users responsibility for locking there computer access down and this feature should remain working as I don't agree with it being a security issue .
If there was an online web version, then obviously I would agree in that case. (not trying to sound rude or anything =)
As far as using this as a bonus feature as I hope to do, I suggest to just make sure that if your note only has the iframe and nothing else that you do not make it 100% width and height as this would make it hard to go into edit mode if you use the right click toggle mode option. Simply adding other content with the iframe HTML to create a space in the page where the right click toggle in Boostnote will remain working or else sizing the frame as mentioned to not consume the whole window will make it so you don't have to edit any CSON files.
Demo with BoostNote Website Embeded as Iframe
Multiple Iframe Tabs
Tab/file 3 even has a CodePen.io Editor Embeded