Skip to content

Using custom HTML in video embed code doesn't work #2893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lkraav opened this issue Feb 12, 2020 · 4 comments
Open

Using custom HTML in video embed code doesn't work #2893

lkraav opened this issue Feb 12, 2020 · 4 comments
Labels
Courses Legacy Legacy functionality that has been replaced by blocks Lessons [Pri] Low Cosmetic issue, low impact, easy workaround [Type] Bug

Comments

@lkraav
Copy link
Contributor

lkraav commented Feb 12, 2020
edited by donnapep
Loading

https://github.com/Automattic/sensei/blob/version/2.4.0/includes/class-sensei-course.php#L3074 is broken.

Original issue #1613

Original fix #1631

Re-broken by adding wp_kses() at https://github.com/Automattic/sensei/pull/2296/files#diff-c0922c04ec6aa809fbd289ed7aabc9d7R3158 in #2296

Currently, Sensei()->settings->get( 'sensei_video_embed_html_sanitization_disable' ) is meaningless, because final wp_kses() call will not allow much custom HTML to pass.

EDIT same for lessons:

https://github.com/Automattic/sensei/blob/version/2.4.0/includes/class-sensei-frontend.php#L1020

UPDATE:
Work to be done for this issue can be found in this comment.
@lkraav lkraav changed the title 2.4.0: Custom HTML in video embed code re-broken by PHPCS fixes 2.4.0: Custom HTML in video embed code re-broken by wp_kses() PHPCS fixes Feb 12, 2020
lkraav added a commit to lkraav/sensei that referenced this issue Feb 12, 2020
@lkraav
Unbreak Course/Video custom HTML setting functionality [1]
0bbd5ed 
1: Automattic#2893
lkraav added a commit to lkraav/sensei that referenced this issue Feb 12, 2020
@lkraav
Unbreak Course/Video custom HTML setting functionality, fix Automatti…
fca69a1 
…c#2893
@donnapep
Copy link
Collaborator

I'm not a fan of the sensei_video_embed_html_sanitization_disable and would like to eliminate it eventually. It feels irresponsible on our part to allow for even the possibility of having security issues on a site.

Which elements are not working in the video embed fields? I'd rather that we explicitly add those that are not working as part of the existing wp_kses call, than remove escaping altogether.

@donnapep donnapep mentioned this issue Feb 16, 2020
Open
@lkraav
Copy link
Contributor Author

lkraav commented Feb 16, 2020
edited
Loading

Which elements are not working in the video embed fields?

I'm not sure this is feasible. In our case, it's not only the video - it's also a complete transcript / chapter display system (mostly divs, but also paragraphs, custom icon elements, etc)

This is just us, I bet Sensei user surface worldwide can have more variations of elements.

I was looking for $allowed_html to be filterable, alas it currently isn't.

Allow for even the possibility of having security issues on a site.

🤷‍♂️ I don't know if this is really securing anything significant at the end of the day?

Alternatively, we could relatively easily sidestep using Sensei hooks to render our video display system directly in theme template however we wish, only keeping Sensei embed video meta box for data storage model.

But still, as-is, Sensei's "Remove security" option is broken. Do y'all have telemetry data on how much this option is even used? Perhaps could just remove it and related logic, and we all move on however?

@donnapep
Copy link
Collaborator

donnapep commented Feb 23, 2020
edited
Loading

It seems there are a couple of issues here:

  1. The necessity of the Disable HTML security setting, which sounds like a separate issue not to be tackled here.
  2. The allowed HTML in the video embed fields for both courses and lessons is too restrictive.

2 seems like it could be solved by merging wp_kses_allowed_html( 'post' ) and $allowed_html, and also adding a filter for anyone who wants to add more elements.

@bhavik-dreamz
Copy link

i have updated code you can check here #2950 , please wait for approving this,

@donnapep donnapep changed the title 2.4.0: Custom HTML in video embed code re-broken by wp_kses() PHPCS fixes Custom HTML in video embed code re-broken by wp_kses() PHPCS fixes Mar 18, 2020
@donnapep donnapep changed the title Custom HTML in video embed code re-broken by wp_kses() PHPCS fixes Using custom HTML in video embed code doesn't work Mar 18, 2020
@donnapep donnapep added [Pri] Low Cosmetic issue, low impact, easy workaround Legacy Legacy functionality that has been replaced by blocks and removed [Status] Queued [Pri] Normal Can wait for the next release labels Mar 22, 2021
lkraav added a commit to conversionxl/sensei that referenced this issue Mar 25, 2021
@lkraav
Unbreak Course/Video custom HTML setting functionality [1]
bbe4ded 
1: Automattic#2893
@vavroom vavroom mentioned this issue Mar 25, 2021
Open
pawelkmpt pushed a commit to conversionxl/sensei that referenced this issue Feb 15, 2022
@lkraav @pawelkmpt
Unbreak Course/Video custom HTML setting functionality [1]
762e246 
1: Automattic#2893
saas786 pushed a commit to saas786/cxl-sensei-lms that referenced this issue Nov 17, 2022
@lkraav @saas786
Unbreak Course/Video custom HTML setting functionality [1]
f128778 
1: Automattic#2893
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Courses Legacy Legacy functionality that has been replaced by blocks Lessons [Pri] Low Cosmetic issue, low impact, easy workaround [Type] Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lkraav @alexsanford @donnapep @bhavik-dreamz