Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #2335

westonruter · 2019-05-16T18:25:44Z

When adding an iframe such as:

<iframe frameborder="no" height="200" scrolling="no" src="https://player.megaphone.fm/DEM1119155060?" width="100%"></iframe>

It gets converted into an amp-iframe successfully as:

<amp-iframe frameborder="0" height="200" scrolling="no" src="https://player.megaphone.fm/DEM1119155060?" width="640" sandbox="allow-scripts allow-same-origin" layout="intrinsic" class="amp-wp-enforced-sizes">
    <span placeholder="" class="amp-wp-iframe-placeholder"></span>
    <noscript>
        <iframe height="200" scrolling="no" src="https://player.megaphone.fm/DEM1119155060?" width="100%"></iframe>
    </noscript>
</amp-iframe>

Nevertheless, one AMP validation error is raised in the process:

This validation error is pointless, however, because the iframe that amp-iframe component generates already provides frameborder=0:

It seems that while HTML allows no as a synonym for 0 (and yes for 1), this is not supported by AMP:

  attrs: {
    name: "frameborder"
    value: "0"
    value: "1"
  }

Apparently this is not even allowed in HTML4, so it could just be a common author mistake (which browsers gracefully handle, and it has been deprecated/removed in HTML5):

  frameborder (1|0)          1         -- request frame borders? --

The AMP plugin makes the default frameborder=0 as seen in the generated example above. What is missing is when the $value is no it should be normalized to 0, and when yes normalized to 1:

amp-wp/includes/sanitizers/class-amp-iframe-sanitizer.php

Lines 153 to 158 in 437c335

    
           case 'frameborder': 
        
           	if ( '0' !== $value && '1' !== $value ) { 
        
           		$value = '0'; 
        
           	} 
        
           	$out[ $name ] = $value; 
        
           	break;

This will prevent a validation error from being raised, and it will allow iframe[frameborder=yes] to actually result in amp-iframe[frameborder=1] as the user intends.

The text was updated successfully, but these errors were encountered:

swissspidy · 2019-05-16T19:56:14Z

so it could just be a common author mistake (which browsers gracefully handle

Perhaps that comes from the other frame elements:

A frameset or frame element has a border if the following algorithm returns true:

If the element has a frameborder attribute whose value is not the empty string and whose first character is either a U+0031 DIGIT ONE (1) character, a U+0079 LATIN SMALL LETTER Y character (y), or a U+0059 LATIN CAPITAL LETTER Y character (Y), then return true.

Interesting read :)

westonruter · 2019-05-16T20:59:39Z

Good find. So it's not just yes and no but y and n that we also should handle 😄

westonruter added the Sanitizers label May 16, 2019

westonruter added this to the v1.1.2 milestone May 16, 2019

westonruter added the Good First Issue label May 16, 2019

westonruter removed this from the v1.1.2 milestone May 22, 2019

schlessera self-assigned this Aug 21, 2019

schlessera mentioned this issue Aug 21, 2019

Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #3064

Merged

2 tasks

westonruter added this to the v1.2.2 milestone Aug 22, 2019

westonruter closed this as completed in #3064 Aug 22, 2019

westonruter modified the milestones: v1.2.2, v1.3 Aug 27, 2019

schlessera added [Size] S and removed [Size] S labels Sep 2, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #2335

Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #2335

westonruter commented May 16, 2019

swissspidy commented May 16, 2019

westonruter commented May 16, 2019

Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #2335

Normalize frameborder=no|yes to frameborder=0|1 in iframe sanitizer #2335

Comments

westonruter commented May 16, 2019

swissspidy commented May 16, 2019

westonruter commented May 16, 2019