[Bug]: popup - iframe stop working on LWC 3.8

[josemvm]

What is the bug? (in English)

LWC 3.7.11
popup shows iframe in second table

LWC 3.8.3-pre
popup doesn´t show iframe in second table

LWC 3.7.11 and LWV 3.8.3-pre
data - everything works fine

Steps to reproduce the issue

try beteween these versions

Versions, safeguards, check summary etc

Versions :

• Lizmap Web Client : 3.8.3-pre.7994
• Lizmap plugin : 4.4.2
• QGIS Desktop : 3.34.11
• QGIS Server : 3.34.11
• Py-QGIS-Server : not used
• QGIS Server plugin atlasprint : 3.4.1
• QGIS Server plugin lizmap_server : 2.11.0
• QGIS Server plugin wfsOutputExtension : 1.8.2

List of Lizmap Web Client modules :

* multiauth : 1.2.2

List of safeguards :

* Mode : normal * Allow parent folder : no * Prevent other drive : no * Prevent PG service : no * Prevent PG Auth DB : no * Force PG user&pass : no * Prevent ECW : no

Check Lizmap plugin

• I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.

Operating system

Ubuntu 22.04

Browsers

Firefox

Browsers version

131.0.2

Relevant log output

No response

[josemvm]

this is the console output:

strange output... it's the same permissions to show the document in table (data tool) and as i said before on lwc 3.7 all works fine for popup tool and also for data tool

[josemvm]

lizmap-web-client/lizmap/modules/view/controllers/media.classic.php

Line 106 in fd79e97

protected function error403($message)

    protected function error403($message)
    {
        /** @var jResponseJson $rep */
        $rep = $this->getResponse('json');
        $rep->data = array('error' => '403 forbidden (you\'re not allowed to access to this media)', 'message' => $message);
        $rep->setHttpStatus('403', 'Forbidden');

        return $rep;
    }

[Antoviscomi]

@josemvm possibly related to #4707 ?

[josemvm]

hi @Antoviscomi i'm talking about html, <iframe> tag

[Antoviscomi]

@josemvm that's now sanified as well as all html tags to any dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

[josemvm]

@josemvm that's now sanified as all html tags to dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

@Antoviscomi yes i really understand the security issues but there should also be the possibility of creating exceptions for what is truly secure, i think

[Antoviscomi]

@josemvm I totally agree with you!

[josemvm]

[Antoviscomi]

@josemvm right but doesn't works without a parent layer, that is, if the layer that allows the iframe to be displayed does not have a parent or a relation setted I suppose. Furthermore the content you need to serve is a static file (.pdf) not a dynamic object, so the sanitization problem in case of dynamic content (in example html document with bookmarks) remains unsolved

[josemvm]

@josemvm right but doesn't works without a parent layer

yes, but it's very strange...

[nboisteault]

Fixed by #4953

[josemvm]

The transfer of “https://xxx.yyy.zzz/index.php/view/media/getMedia?repository=ma&project=operacoesU&path=media%2Fp_rusticos%2FR-ARL-C-2.pdf” was blocked because the iframe where it was triggered has the sandbox tag defined.

[josemvm]

the frame appears without content:

[josemvm]

LWC 3.8.4 - be354fcbc

[Antoviscomi]

@josemvm not in mine as you can see below using

<br>
		<p><iframe src=[%"n_link"%] width="540" height="700"></iframe></p>
</br>

and where [%"n_link"%] is the field containing the url of the html file callable from my internal domain

Video.del.21-01-2025.17.13.26.webm

[josemvm]

@Antoviscomi what is your lizmap version?

[Gustry]

@josemvm You are just reopening this ticket by only copy/pasting your error, without context.

From your error :

the iframe where it was triggered has the sandbox tag defined

Please search at least what sandbox means and share the code of the popup. Did you define sandbox in your popup ?

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox

If sandbox is present, then it's more "secure" than "not present".

Like the iframe of @Antoviscomi which doesn't have the sandbox attribute.

[Antoviscomi]

@Antoviscomi what is your lizmap version?

LWC 3.8.4 (3.8.4 - be354fcbc), the same as your @josemvm

[Antoviscomi]

@josemvm You are just reopening this ticket by only copy/pasting your error, without context.

From your error :

the iframe where it was triggered has the sandbox tag defined

Please search at least what sandbox means and share the code of the popup. Did you define sandbox in your popup ?

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox

If sandbox is present, then it's more "secure" than "not present".

Like the iframe of @Antoviscomi which doesn't have the sandbox attribute.

@Gustry @josemvm the behaviour it's correct with sandbox attribute also, for me:
<p><iframe src=[%"n_link"%] width="540" height="700" sandbox></iframe></p>
in dev browser console I read:
<iframe height="700" width="540" src="http://myhost/webgis/document/Norme_Attuative.html#AEA" sandbox="allow-scripts allow-forms"></iframe>
so I confirm there is not an issue in mine

[Gustry]

Yes, the sandbox atrribute can be added, but then it's up to the web server, (not related to Lizmap), to accept or not the request to serve the HTML content.

[Gustry]

Hum, not so sure, the iframe code can be analyzed from the webbrowser to see which attributes the sandbox can have after DOMPurify

lizmap-web-client/assets/src/modules/Utils.js

Line 214 in 7c5b679

node.setAttribute('sandbox','allow-scripts allow-forms');

[Antoviscomi]

yes, it's true!

I think the only definitive solution is to implement in the jelix framework a whitelist of IPs or Domains allowed to access the iframe in LWC, orherwise we'll forever affected from this behaviours

[Antoviscomi]

and what I read dev browser console on 3.7.14

<embed type="application/x-google-chrome-pdf" src="chrome-extension://mhjfbmdgcfjbbpaeojofohoefgiehjai/8fcb9fac-f28a-4af7-810f-795cfaf0855a" original-url="http://myhost/webgis/document/CE_15-21_AG.pdf" background-color="4283586137" javascript="allow">

Yes @josemvm as you can see, in 3.7.14 javascript are allowed

and what I read in 3.8.4 version

<div id="sub-frame-error-details" jsselect="summary" jsvalues=".innerHTML:msg" jstcache="1">Questa pagina è stata bloccata da Chrome</div>

that are locked in 3.8.4

[josemvm]

my domain in not a public domain, it is within my local network

[Antoviscomi]

my domain in not a public domain, it is within my local network

same as mine

[nboisteault]

I have not tested but if pdf files can be public you can put them in the root data folder above the repositories. You should be able to view them in iframes.

https://docs.lizmap.com/current/en/publish/configuration/media.html#use-a-single-media-folder-for-many-lizmap-folders

[Antoviscomi]

I have not tested but if pdf files can be public you can put them in the root data folder above the repositories. You should be able to view them in iframes.

https://docs.lizmap.com/current/en/publish/configuration/media.html#use-a-single-media-folder-for-many-lizmap-folders

@nboisteault true for LWC 3.7.14 but not in 3.8.4 at the moment, i had put the pdf in a root (server) folder, i serve this root independently to LWC so this appear as cross-origin to the browser… that lock my domain only in LWC 3.8.4 as I tried to explain in the above comment

[Antoviscomi]

@nboisteault true for LWC 3.7.14 but non in 3.8.4 at the moment, i had put the pdf in a root (server) folder, i serve this root independently to LWC so this appear as cross-origin to the browser… that lock my domain only in LWC 3.8.4 as I tried to explain in the above comment

@nboisteault and only for pdfs, I'm able to open .jpg, .html, .png and all other than pdfs

[Gustry]

Project https://sandbox.lizmap.com/lizmap_3_8/index.php/view/map?repository=tests&project=xss
Layer : iframe_pdf, click on the single red dot.

• On Firefox 115.14.0esr, it works, the PDF is visible.
• On Chomium 131.0.6778.264, I have a error :

This page has been blocked by Chromium

To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

I'm not sure if this eval error is linked ?

[Antoviscomi]

@Gustry @nboisteault @josemvm is the pdf-viewer no more embedded or iframe is no more able to call it in LWC 3.4.8? I ask you because of, as you can see in screencast below,

Video.del.23-01-2025.16.45.25.webm

when I add the option pdf-viewer-update-enabled to the iframe def in browser console, my pdf MAGICALLY works fine again

[nboisteault]

https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/Structuring_content/General_embedding_technologies#the_embed_and_object_elements

However, you are unlikely to use these elements very much. If you need to display PDFs, it's usually better to link to them, rather than embedding them in the page.

[Antoviscomi]

https://developer.mozilla.org/en-US/docs/Learn_web_development/Core/Structuring_content/General_embedding_technologies#the_embed_and_object_elements

However, you are unlikely to use these elements very much. If you need to display PDFs, it's usually better to link to them, rather than embedding them in the page.

that's what I need to do, but in 3.7.14 this work normally despite of how It works (or better, doesn't works) in 3.8.4. This because of in 3.7.14, pdf-viewer-update-enabled became automatically setted/called by LWC popup (or right doc in my case) activation on feature click in map, while in 3.8.4 doesn't.

[Antoviscomi]

I'm repeating myself but it only happens with pdfs and only in 3.8.4

[nboisteault]

We have made some changes in Lizmap 3.8.x to improve security against XSS. We'll accept a PR which improves PDF integration if it does not decrease security.

[Antoviscomi]

We have made some changes in Lizmap 3.8.x to improve security against XSS. We'll accept a PR which improves PDF integration if it does not decrease security.

So it's insecure to call pdf-viewer on popup open or in dock open?

[josemvm]

@Antoviscomi can you send the pdf-viewer-update-enabled into the popup html code popup and make it works? i thing that you are using chrome, but im my case i can´t do it like you do...

@nboisteault any chance to recover this functionality?

[Antoviscomi]

@Antoviscomi can you send the pdf-viewer-update-enabled into the popup html code popup and make it works? i thing that you are using chrome, but im my case i can´t do it like you do...

@josemvm both in Chrome as in FF if I try to pass pdf-viewer via Maptip it becomes sanitized/purified (I don't know why) I'm also trying to allow via Popup.js and Utils.js according to DOMPurify.sanitize in order to propose a PR but nothing! I also try to serve it by a node.js proxy server but nothing yet! The only way I found to temporarily view the pdf is via direct editing on html string in browser console! But my tests are in Progress

[josemvm]

@Antoviscomi thanks

[josemvm]

@Antoviscomi when i editing the html string in browser console this turns into:

<iframe height="500px" width="100%" src="https://xxx.yyy.zzz/index.php/view/media/getMedia?repository=ma&amp;project=operacoesU&amp;path=media%2Fp_rusticos%2FR-ARL-C-2.pdf" sandbox="allow-scripts allow-forms" pdf-viewer-update-enabled=""></iframe>

and doesn´t work...

[Gustry]

I'm also trying to allow via Popup.js and Utils.js according to DOMPurify.sanitize in order to propose a PR but nothing

have you tried to build Javascript ? https://github.com/3liz/lizmap-web-client/blob/master/CONTRIBUTING.md#building-javascript-only
Or just build by using the Docker stack provided https://github.com/3liz/lizmap-web-client/blob/master/tests/README.md#with-linux

[Antoviscomi]

@Gustry yes of course with no errors but I dont understand why the pdf it seems yet not allowed. There is any step after js compilation I need to follow? I.e. php configurator.php?

[nboisteault]

@Antoviscomi can you send the pdf-viewer-update-enabled into the popup html code popup and make it works? i thing that you are using chrome, but im my case i can´t do it like you do...

@nboisteault any chance to recover this functionality?

Possibly but as usual it needs time, so funds or PRs are welcome.

[Antoviscomi]

Possibly but as usual it needs time, so funds or PRs are welcome.

@nboisteault I'm trying to test an integration if it work I'll propose my PR

[Gustry]

There is any step after js compilation I need to follow? I.e. php configurator.php?

This is for installation.

Have you tried the docker setup ? It's pretty straight forward.

[Antoviscomi]

There is any step after js compilation I need to follow? I.e. php configurator.php?

This is for installation.

Have you tried the docker setup ? It's pretty straight forward.

No, @Gustry I've not! Because I work on a vm proxy exposed on the LAN, i don't need another (docker) IP to manage 😅
but my tests seems to fail at the moment, there is something I don't yet understand on dhe beaviour.

[josemvm]

@Antoviscomi did you try something like this (certainly yes):

const cleanHTML = DOMPurify.sanitize('<iframe src="meuDoc.pdf" width="100%" height="500"></iframe>', {
  ALLOWED_TAGS: ['iframe'],
  ALLOWED_ATTR: ['src', 'width', 'height'],
  SANITIZE_DOM: true,
  AFTER_SANITIZATION: function(node) {
    // Check if the src is a valid PDF
    if (node.tagName === 'IFRAME' && node.src && node.src.endsWith('.pdf')) {
      // Allow PDF
      return true;
    }
    return false;
  }
});

[Antoviscomi]

@josemvm yes I tried it but the DOMPurify acts on every .pdf locking it when is passed by an url or a php. I tried to create a new class pdf-frame container inside the popup, passing it a server-side encoded pdf (on html page) but nothing! The CORS and the policy adopted to avoid XSS don't allow/permit any type of pdf or pdf/application to work in iframe or object. I'm very discouraged

[josemvm]

So it's insecure to call pdf-viewer on popup open or in dock open?

i think so too

i think this is an overzealous approach to security within a popup or within a table

there are more pertinent security issues such as 2FA - it's just my opinion

we hope that 3liz team can fix this issue without compromising security

thanks to all

[Antoviscomi]

@Gustry @nboisteault @josemvm
Finally I think i found the only safe way to allow the display of pdfs in iframe.
I try to explain how my idea should works so as to have your approval to globalize it (at the moment works fine in my environment as in screencast below) and propose it as PR.
After countless attempts i discovered that the only way we have to display the pdfs in the popup is to encode them in an html page through a php script so as to incorporate
<script src="https://cdnjs.cloudflare.com/ajax/libs/pdf.js/2.5.207/pdf.min.js"></script>.
In this way the popup allows the entry and display of the pdf without problems.
My only doubts are:

1. can LWC use this <script src="https://cdnjs.cloudflare.com/ajax/libs/pdf.js/2.5.207/pdf.min.js"></script> from a licensing perspective?
2. can i upload the additional php to integrate with the popup management?

The tests I did are based on a Postgis layer to allow the dynamic choice of encoded pdfs directly from QGIS html Maptip (necessary because the html pages also have the encoded name to avoid DOMPurify sanitizing them because of the .pdf in the extension).
I have the idea of ​​making everything semi-automatic by leaving the admin the ability to choose the directory containing the pdfs and the postgis db within which the layer to link to the pdfs is located (important because the php scripts create a secure_id field within said file containing the names of the new htmls outputs stored) storing these variables as
[pdf_db]
(Containing Postgis's credentals db)
and
[pdf_in_path]
[html_encoded_path]
(for pdf in and out folders)
in profile.ini.php.
So I ask you if this approach can be valid, otherwise I do not globalize it and avoid proposing it as PR.
Let me know.

Video.del.03-02-2025.16.44.39.webm