[Bug]: popup - iframe stop working on LWC 3.8

[josemvm]

What is the bug? (in English)

LWC 3.7.11
popup shows iframe in second table

LWC 3.8.3-pre
popup doesn´t show iframe in second table

LWC 3.7.11 and LWV 3.8.3-pre
data - everything works fine

Steps to reproduce the issue

try beteween these versions

Versions, safeguards, check summary etc

Versions :

• Lizmap Web Client : 3.8.3-pre.7994
• Lizmap plugin : 4.4.2
• QGIS Desktop : 3.34.11
• QGIS Server : 3.34.11
• Py-QGIS-Server : not used
• QGIS Server plugin atlasprint : 3.4.1
• QGIS Server plugin lizmap_server : 2.11.0
• QGIS Server plugin wfsOutputExtension : 1.8.2

List of Lizmap Web Client modules :

* multiauth : 1.2.2

List of safeguards :

* Mode : normal * Allow parent folder : no * Prevent other drive : no * Prevent PG service : no * Prevent PG Auth DB : no * Force PG user&pass : no * Prevent ECW : no

Check Lizmap plugin

• I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.

Operating system

Ubuntu 22.04

Browsers

Firefox

Browsers version

131.0.2

Relevant log output

No response

[josemvm]

this is the console output:

strange output... it's the same permissions to show the document in table (data tool) and as i said before on lwc 3.7 all works fine for popup tool and also for data tool

[josemvm]

lizmap-web-client/lizmap/modules/view/controllers/media.classic.php

Line 106 in fd79e97

protected function error403($message)

    protected function error403($message)
    {
        /** @var jResponseJson $rep */
        $rep = $this->getResponse('json');
        $rep->data = array('error' => '403 forbidden (you\'re not allowed to access to this media)', 'message' => $message);
        $rep->setHttpStatus('403', 'Forbidden');

        return $rep;
    }

[Antoviscomi]

@josemvm possibly related to #4707 ?

[josemvm]

hi @Antoviscomi i'm talking about html, <iframe> tag

[Antoviscomi]

@josemvm that's now sanified as well as all html tags to any dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

[josemvm]

@josemvm that's now sanified as all html tags to dynamic container to avoid xss attacs, so all the readdresing on dynamic contents shall be unavailable.

@Antoviscomi yes i really understand the security issues but there should also be the possibility of creating exceptions for what is truly secure, i think

[Antoviscomi]

@josemvm I totally agree with you!

[josemvm]

[Antoviscomi]

@josemvm right but doesn't works without a parent layer, that is, if the layer that allows the iframe to be displayed does not have a parent or a relation setted I suppose. Furthermore the content you need to serve is a static file (.pdf) not a dynamic object, so the sanitization problem in case of dynamic content (in example html document with bookmarks) remains unsolved

[josemvm]

@josemvm right but doesn't works without a parent layer

yes, but it's very strange...

[nboisteault]

Fixed by #4953