Problem/Motivation
- Create an Article node. For the Body field, choose the "Full HTML" format, click the "Source" button in the CKEditor toolbar, and enter the following HTML:
<iframe src="http://example.com/"></iframe> <!--break--> stuff below the fold - Save that article. Notice that the iframe and the "stuff below the fold" is displayed, because the article is being shown in the "Full" view mode.
- Go to the home page. Notice that nothing is shown for the article's teaser, not even the iframe.
- This is because for the teaser,
text_summary()is called and passed aFilteredMarkupobject, marking the string as safe for rendering, because it's already been processed by a text format (in this case, by "Full HTML" which allows iframes). However,text_summary()then extracts the part before<!--break-->, and returns it as a plain string. Because it's a plain string, not a MarkupInterface object, when it gets rendered it gets passed toXss::filterAdmin(), which strips out the iframe. - We're running into this problem in #2940029-89: Add an input filter to display embedded Media entities, where the iframe is a rendered YouTube video. In other words, this bug prevents the "Media Embed" filter from working as expected when embedded videos should otherwise be displayed in a content teaser.
Proposed resolution
Fix text_summary() to return a MarkupInterface object when a MarkupInterface object is passed in.
Remaining tasks
This issue is tagged with "Needs security review", because we should make sure that the proposed resolution is in fact a safe thing to do. In other words, if an HTML string has been determined to be safe to render, is it valid to assume that a fragment of it is also safe to render?