label-studio icon indicating copy to clipboard operation
label-studio copied to clipboard
verified publisher icon HumanSignal

Regression in non-inline HyperText/iframe HTML support caused by a fix to a hypothetical vulnerability

Open dchichkov opened this issue 1 year ago • 1 comments

Describe the bug Annotating data within an iframe (wikipedia articles, etc) in the HyperText element is no longer possible, as

To Reproduce Use non-inline iframe in the HyperText element and include

Expected behavior It should be possible to render modern HTML that includes scripting withing the HyperText/iframe.

Environment (please complete the following information):

  • OS: [e.g. iOS]
  • Label Studio Version 1.12.0

Additional context Sanitized internal data or data from sources like wikipedia can not contain a hypothetical vulnerability highlighted by this CVE. This hypothetical vulnerability is also unimpactful, as the service is stand-alone and isolated from any high-value financial/industry targets.

dchichkov avatar May 08 '24 20:05 dchichkov

Hey @dchichkov thanks for the issue, I know it's been a while.

The regression was intentional to a degree. We're open to contributions on how to get the best of both worlds but in terms of tradeoffs, we prioritized security here. Do you have any ideas on how we can improve this?

sajarin avatar Jun 21 '24 11:06 sajarin