Regression in non-inline HyperText/iframe HTML support caused by a fix to a hypothetical vulnerability #5860
Labels
community:issue
A community reported issue
community:reviewed
Issue has been reviewed by the Label Studio Community Team.
Community
Community Feature Requests, Open Issues, Bugs Reported, or Comments
Comments
sajarin
added
Community
|
Hey @dchichkov thanks for the issue, I know it's been a while. The regression was intentional to a degree. We're open to contributions on how to get the best of both worlds but in terms of tradeoffs, we prioritized security here. Do you have any ideas on how we can improve this? |
16 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Annotating data within an iframe (wikipedia articles, etc) in the HyperText element is no longer possible, as <script> tags are filtered out from HTML content starting from 1.11.0. This is a regression in 1.11.0 caused by #5232
To Reproduce
Use non-inline iframe in the HyperText element and include <script> tag.
Expected behavior
It should be possible to render modern HTML that includes scripting withing the HyperText/iframe.
Environment (please complete the following information):
Additional context
Sanitized internal data or data from sources like wikipedia can not contain a hypothetical vulnerability highlighted by this CVE. This hypothetical vulnerability is also unimpactful, as the service is stand-alone and isolated from any high-value financial/industry targets.
The text was updated successfully, but these errors were encountered: