-
-
Save ohader/2239dab247e18d23e677fd1b816f4fd5 to your computer and use it in GitHub Desktop.
<?php | |
// in my_extension/ext_localconf.php | |
defined('TYPO3') or die(); | |
// overrides `default` builder globally | |
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['default'] = \OliverHader\MyExtension\MyDefaultBuilder::class; | |
// actually it would be better, to declare a new `my` builder | |
// to be used individually via TypoScript `stdWrap.parseFunc.htmlSanitize.build = my` | |
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['my'] = \OliverHader\MyExtension\MyDefaultBuilder::class; |
<?php | |
// in my_extension/Classes/MyDefaultBuilder.php | |
namespace OliverHader\MyExtension; | |
class MyDefaultBuilder extends \TYPO3\CMS\Core\Html\DefaultSanitizerBuilder | |
{ | |
protected function createBehavior(): \TYPO3\HtmlSanitizer\Behavior | |
{ | |
// overrides TYPO3's default builder | |
// allows `iframe` tag with attrs `src` and `sandbox` | |
// the `src` attr is limited further to | |
// + regexp ^(https?://|/(?!/)|[^/:][^:]*$) | |
// + or being an URI on the current TYPO3 host | |
$behavior = parent::createBehavior(); | |
$iframeTag = (new \TYPO3\HtmlSanitizer\Behavior\Tag('iframe')) | |
->addAttrs($this->srcAttr, ...$this->createAttrs('sandbox')); | |
$behavior = $behavior->withTags($iframeTag); | |
return $behavior; | |
} | |
} |
And if someone else arrives there, here is a common definition for iframe:
$iframeTag = (new Tag('iframe'))
->addAttrs(
array_merge(
$this->globalAttrs,
[$this->srcAttr],
$this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
)
);
You should
return $behavior->withTags($iframeTag);
and notreturn $behavior;
Thx for the remark, fixed it.
And if someone else arrives there, here is a common definition for iframe:
$this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
Side-note: Omitting to declare the sandbox
attribute, might (I did not test it in detail, therefore "might") introduce new security risks.
My tests so far included the following:
<iframe src="iframe.html"
sandbox="allow-downloads allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-scripts"></iframe>
Again: Not completely tested!
Another nice tweak is using tel:
in iframe
- in the past, some mobile clients directly called the given number.
<iframe src="tel:+1-234-56789"></iframe>
And if someone else arrives there, here is a common definition for iframe:
$iframeTag = (new Tag('iframe')) ->addAttrs( array_merge( $this->globalAttrs, [$this->srcAttr], $this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width') ) );
This throw an error on my setup.
Argument 1 passed to TYPO3\HtmlSanitizer\Behavior\Tag::addAttrs() must be an instance of TYPO3\HtmlSanitizer\Behavior\Attr, array given
I changed it to:
->addAttrs(
...array_merge(
$this->globalAttrs,
[$this->srcAttr],
$this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
)
);
You should
return $behavior->withTags($iframeTag);
and notreturn $behavior;