@@ -34,8 +34,8 @@ function getXSSOptions(urlTransform): IFilterXSSOptions | undefined {
3434 // - stripIgnoreTagBody - completely get rid of dangerous HTML
3535 // (otherwise user sees weird mangled style code, when seeing
3636 // nothing would be better).
37- // - whiteList - we need iframes, though we lock them down as
38- // much as possible, while still supporting 3d graphics .
37+ // - whiteList - we need iframes to support 3d graphics; unfortunately this
38+ // isn't safe without a lot more work, so we do NOT enable them .
3939 return {
4040 stripIgnoreTagBody : true ,
4141 // SECURITY: whitelist note -- we had tried to explicitly allow mathjax script tags in sanitized html
@@ -45,16 +45,21 @@ function getXSSOptions(urlTransform): IFilterXSSOptions | undefined {
4545 // The fix is completley removing any whitelisting of any script tags. The feature of
4646 // mathjax in html is not important enough to support, and too dangerous -- even if it worked,
4747 // it would probably be an easy attack vector by just making up fake mathjax.
48+ // Due to https://github.com/sagemathinc/cocalc/security/advisories/GHSA-jpjc-pwjv-j9mg
49+ // we also remove all use of iframes, which
4850 whiteList : {
4951 ...whiteList ,
50- iframe : [ "src" , "srcdoc" , "width" , "height" ] ,
52+ // DISABLED due to https://github.com/sagemathinc/cocalc/security/advisories/GHSA-jpjc-pwjv-j9mg
53+ // iframe: ["src", "srcdoc", "width", "height"],
54+ iframe : [ ] ,
5155 html : [ ] ,
5256 } ,
5357 safeAttrValue : ( tag , name , value ) => {
54- if ( tag == "iframe" && name == "srcdoc" ) {
55- // important not to mangle this or it won't work.
56- return value ;
57- }
58+ // disabled since not sufficiently secure.
59+ // if (tag == "iframe" && name == "srcdoc") {
60+ // // important not to mangle this or it won't work.
61+ // return value;
62+ // }
5863 if ( urlTransform && URL_TAGS . includes ( name ) ) {
5964 // use the url transform
6065 return urlTransform ( value , tag , name ) ?? value ;
0 commit comments