Jump to content

4.3 and Codepen

Featured Replies

Posted

I noticed that in 4.3, Codepen was removed from \IPS\Text\Parser::_oembedServices. 

Was this intentional? And if so, can you please provide the reason? I have a client that uses codepen extensively, so if there was a valid reason for its removal, I'd like to know so that I can be aware of the "consequences" of putting it back in.

Thanks.

Yes, it was intentional.

Codepen can execute javascript in the local scope, so it introduced a minor potential security vulnerability.

 

Doh, Ryan sniped me

That's a huge disappointment and I'd like to strongly recommend that you put it back. Codepen embeds didn't run by default anyway - the user needed to click to activate. 

It's not like having the user click a link to go to the codepen URL (instead of embedding) would somehow protect them from malicious JS in that codepen, right? So this is just kicking the can down the road (and simultaneously frustrating your customers like me and providing a worse user experience for forums users). 

Literally almost every thread in our forums has a codepen, so this decision you made has significant ramifications for us. Please reconsider. 

If Invision choose not to add it back then you can add it back using this:

 

There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users.

On 6/4/2018 at 10:14 AM, bfarber said:

There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users.

didn't realize JS was so powerful, it could alter the course of a entire culture and society ?

Edited by CodingJungle

Not for this - the very nature of codepen is that arbitrary javascript can execute.

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.