Wiki: Include html content on Raw HTML Editor dont reproduce html

Created on 13 Apr 2020  路  6Comments  路  Source: Requarks/wiki

When displaying a page written by HTML, the HTML code is displayed instead of reproducing the HTML content

To Reproduce
Steps to reproduce the behavior:
1 - Create a new page with Raw HTML type
2 - Include tag iframe from You Tube, example:

3- The displayed content is the html code and not the video.
Expected behavior
Show video from iframe

Screenshots

Host Info (please complete the following information):

  • OS: CentOS 7
  • Wiki.js version: 2.2.51
  • Database engine: postgres 10.12

Additional context
The content written in the HTML editor is displayed in double quotes and the browser cannot interpret the written html.

picture luanknebel

Most helpful comment

well yes, but this is iframe. Anything malicious can happen. Are you really "trust your editors" about it?

You're right, what I meant to say was: it would be better to wait for the implementation of rendering videos added in the visual editor automatically, instead of turning off the HTML Sanitizer (because as you rightly point out, this would cause security issues).

picture joppehoekstra on 13 Apr 2020
👍2

All 6 comments

You need to disable HTML Sanitizer on Security rendering module. After that you can re-render the page and see if the iframe shows up

Smankusors picture Smankusors on 13 Apr 2020
👍1

This doesn't seem like a proper way to solve this problem. The expected behaviour of the HTML sanitizer is to only remove content from 'untrustable' sources. Even when embedding videos using the visual editor, the video is not rendered on the page (it is rendered in the editor, as described in this issue.

joppehoekstra picture joppehoekstra on 13 Apr 2020

This doesn't seem like a proper way to solve this problem. The expected behaviour of the HTML sanitizer is to only remove content from 'untrustable' sources. Even when embedding videos using the visual editor, the video is not rendered on the page (it is rendered in the editor, as described in this issue.

well yes, but this is iframe. Anything malicious can happen. Are you really "trust your editors" about it?

Smankusors picture Smankusors on 13 Apr 2020
👍1

well yes, but this is iframe. Anything malicious can happen. Are you really "trust your editors" about it?

You're right, what I meant to say was: it would be better to wait for the implementation of rendering videos added in the visual editor automatically, instead of turning off the HTML Sanitizer (because as you rightly point out, this would cause security issues).

joppehoekstra picture joppehoekstra on 13 Apr 2020
👍2

Thanks for this support, I initially disabled HTML Sanitize for now. We can close this issue?

luanknebel picture luanknebel on 13 Apr 2020

Thanks for this support, I initially disabled HTML Sanitize for now. We can close this issue?

if your issue is resolved, feel free to close yourself 馃檪

Smankusors picture Smankusors on 13 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ramirahikkala picture ramirahikkala  路  3Comments
D3mon86 picture D3mon86  路  4Comments
LionNatsu picture LionNatsu  路  3Comments
ccolella-mdc picture ccolella-mdc  路  3Comments
gruesomehit picture gruesomehit  路  4Comments