Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: popup - iframe stop working on LWC 3.8 #4863

Open
1 task done
josemvm opened this issue Oct 14, 2024 · 10 comments
Open
1 task done

[Bug]: popup - iframe stop working on LWC 3.8 #4863

josemvm opened this issue Oct 14, 2024 · 10 comments
Assignees
Milestone

Comments

@josemvm
Copy link
Collaborator

josemvm commented Oct 14, 2024

What is the bug? (in English)

LWC 3.7.11
popup shows iframe in second table
imagem

LWC 3.8.3-pre
popup doesn´t show iframe in second table
imagem

LWC 3.7.11 and LWV 3.8.3-pre
data - everything works fine
imagem

Steps to reproduce the issue

try beteween these versions

Versions, safeguards, check summary etc

Versions :

  • Lizmap Web Client : 3.8.3-pre.7994
  • Lizmap plugin : 4.4.2
  • QGIS Desktop : 3.34.11
  • QGIS Server : 3.34.11
  • Py-QGIS-Server : not used
  • QGIS Server plugin atlasprint : 3.4.1
  • QGIS Server plugin lizmap_server : 2.11.0
  • QGIS Server plugin wfsOutputExtension : 1.8.2
List of Lizmap Web Client modules :
* multiauth : 1.2.2
List of safeguards :
* Mode : normal * Allow parent folder : no * Prevent other drive : no * Prevent PG service : no * Prevent PG Auth DB : no * Force PG user&pass : no * Prevent ECW : no

Check Lizmap plugin

  • I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.

Operating system

Ubuntu 22.04

Browsers

Firefox

Browsers version

131.0.2

Relevant log output

No response

@josemvm josemvm added the bug label Oct 14, 2024
@josemvm josemvm added this to the 3.8.3 milestone Oct 14, 2024
@josemvm josemvm added the popup label Oct 14, 2024
@josemvm josemvm changed the title [Bug]: popup - iframe stop working on LWV 3.8 [Bug]: popup - iframe stop working on LWC 3.8 Oct 14, 2024
@josemvm
Copy link
Collaborator Author

josemvm commented Oct 15, 2024

this is the console output:

imagem

strange output... it's the same permissions to show the document in table (data tool) and as i said before on lwc 3.7 all works fine for popup tool and also for data tool

@nboisteault nboisteault self-assigned this Oct 15, 2024
@josemvm
Copy link
Collaborator Author

josemvm commented Oct 17, 2024

protected function error403($message)

    protected function error403($message)
    {
        /** @var jResponseJson $rep */
        $rep = $this->getResponse('json');
        $rep->data = array('error' => '403 forbidden (you\'re not allowed to access to this media)', 'message' => $message);
        $rep->setHttpStatus('403', 'Forbidden');

        return $rep;
    }

@Antoviscomi
Copy link
Contributor

@josemvm possibly related to #4707 ?

@josemvm
Copy link
Collaborator Author

josemvm commented Oct 21, 2024

hi @Antoviscomi i'm talking about html, <iframe> tag

@Antoviscomi
Copy link
Contributor

Antoviscomi commented Oct 21, 2024

@josemvm that's now sanified as well as all html tags to any dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

@josemvm
Copy link
Collaborator Author

josemvm commented Oct 21, 2024

@josemvm that's now sanified as all html tags to dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

@Antoviscomi yes i really understand the security issues but there should also be the possibility of creating exceptions for what is truly secure, i think

@Antoviscomi
Copy link
Contributor

@josemvm I totally agree with you!

@josemvm
Copy link
Collaborator Author

josemvm commented Oct 23, 2024

imagem

@Antoviscomi
Copy link
Contributor

Antoviscomi commented Oct 24, 2024

@josemvm right but doesn't works without a parent layer, that is, if the layer that allows the iframe to be displayed does not have a parent or a relation setted I suppose. Furthermore the content you need to serve is a static file (.pdf) not a dynamic object, so the sanitization problem in case of dynamic content (in example html document with bookmarks) remains unsolved

@josemvm
Copy link
Collaborator Author

josemvm commented Oct 24, 2024

@josemvm right but doesn't works without a parent layer

yes, but it's very strange...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants