Problem/Motivation
- Under certain circumstances, the (JS) code in
DrupalMediaEditing._fetchPreview
may fail to fetch a preview because it won't handle query parameters included in thepreviewUrl
variable passed down from the server properly. - The text parameter sent to
MediaFilterController::preview()
contains markup which can lead to 403 on those requests if a site is behind a WAF
Steps to reproduce
Issue described in point 1 above: On vanilla D10 10.1.x
- Install the layout_builder, media_library, wse modules
- Enable layout builder on the article content type enabling layout overrides for any article
- Enable the Embed media toolbar item and filter in the Basic HTML text format
- Add
$config['wse.settings']['append_current_workspace_to_url'] = TRUE;
to settings.php - Create and article and edit it's layout
- Add a block of type Basic block to the layout and insert an image media (uploading a new image) in the body field, save the block
- Click the Configure contextual link on the added block
Expected result: The editor loads the added image
Actual result: The editor displays an error message An error occurred while trying to preview the media. Please save your work and reload this page.
As for point 2, the same steps can be used to replicate it, but the testsite needs to be behind a WAF that has a rule which detects/rejects requests with markup in query parameters.
Proposed resolution
Point 1:
Ensure existing query parameters get included in the request sent by DrupalMediaEditing._fetchPreview()
I realize one may argue this is a WSE problem, but the scenario of other pre-existing query parameters is nonetheless realistic and the core code should be able to handle this case.
Point 2:
As suggested by Fabianx, we can base64 encode the markup and decode it again in the controller.