Sitefinity 11 adding sandbox attributes to iframe dynamically.

0
votes

We have a Sitefinity 11.0.6701.0 site in which I have a page that contains a Content Block with an iframe in it. The page we are displaying in the iframe is dynamic and has a form in it - we are not concerned with clickjacking or anything like that as we host the src page as well.

We recently upgraded our site from version 8 and now the iframe's content (which we also host on a separate site) does not allow for the dynamic content to work.

I noticed that Sitefinity seems to be adding a sandbox="allow-scripts allow-same-origin" attribute to the iframe at runtime. I have attempted to change this to sandbox="allow-forms" as well as simply removing the sandbox attribute altogether, but Sitefinity dynamically adds the first attribute back in a runtime. It replace the "allow-forms" with the "allow-scripts allow-same-origin" attribute.

Does anyone know where this is controlled in Sitefinity and how we can overcome this problem? We need this page to be dynamic. For contractual reasons, I can't change actual code in our Sitefinity environment, only work within the CMS.

Thanks in advance, Jamie

1
iframesitefinity

1 Answers

0
votes

This is caused by the Html Sanitizer.

One option is to disable it under Administration > Settings > Advanced > Security > Disable HTML sanitization and restart the site.

Another option is to try and modify the sanitizer configuration as shown here: https://docs.sitefinity.com/html-sanitization#modify-the-html-sanitizer-configuration

But looking at the decompiled code of v.11 it may not be that easy:

    private class GanssHtmlSanitizer : HtmlSanitizer
    {
        private const string IframeNodeName = "iframe";

        public GanssHtmlSanitizer() : base(null, null, null, null, null)
        {
            base.AllowedTags.Add("iframe");
            base.PostProcessNode += new EventHandler<PostProcessNodeEventArgs>(this.GanssHtmlSanitizer_PostProcessNode);
        }

        private void GanssHtmlSanitizer_PostProcessNode(object sender, PostProcessNodeEventArgs e)
        {
            if (string.Compare(e.Node.NodeName, "iframe", true) == 0)
            {
                (e.Node as IElement).SetAttribute("sandbox", "allow-scripts allow-same-origin");
                string attribute = (e.Node as IElement).GetAttribute("src");
                (e.Node as IElement).SetAttribute("src", this.SanitizeUrl(attribute));
            }
        }

        /// <inheritdoc />
        public string SanitizeUrl(string url)
        {
            return base.SanitizeUrl(url, null);
        }
    }