Release 1.1.0 #6
Conversation
Release 1.0.2
Allows users to paste iframe code directly into the block, which then extracts the URL, title, and attributes automatically. This improves the user experience by simplifying the process of embedding iframes. It also introduces the ability to manage iframe attributes directly from the block editor.
Adds a .wp-env.json file to enable plugin loading in the local WordPress development environment, facilitating testing of the plugin's features during development.
Improves the Iframe block by allowing users to paste iframe HTML code directly into the URL field. The block now parses the iframe code to extract the URL, title, and attributes, and pre-fills the corresponding fields. This change enhances the user experience by simplifying the process of embedding iframes.
Improves the iframe block by refining how iframe code is parsed and how the URL or iframe source is handled in the editor. It now correctly parses iframe tags, extracts attributes, and provides better user guidance for inputting iframe code or URLs. Also, excludes the `style` attribute from being extracted, as it requires object format in React.
Ensures a default aspect ratio of 1:1 for iframes that do not have an explicit aspect ratio defined. This prevents layout issues where the iframe might collapse or render incorrectly, especially during initial loading or when aspect ratio is not properly handled by the embedding context.
Autorise le collage d'un code iframe dans l'éditeur
Updates the French translations for the iframe block to reflect changes in the source code. Specifically, it changes the "URL" field to "Source" and provides more flexible input options for the iframe source, now allowing both URLs and iframe code.
Bumps the plugin version to 1.1.0 across all relevant files. This change prepares the plugin for a new release.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 10
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| ]; | ||
|
|
||
| return excludedAttrs.includes( attributeName.toLowerCase() ); | ||
| } |
There was a problem hiding this comment.
Unfiltered iframe attributes allow JavaScript event handlers
Medium Severity
The isExcludedIframeAttribute function filters deprecated and managed attributes but doesn't exclude JavaScript event handlers (onload, onerror, onfocus, etc.) or the srcdoc attribute. When iframe code containing these attributes is pasted, they are preserved and rendered in the saved block HTML. The srcdoc attribute is particularly concerning since it allows inline HTML content that takes precedence over src, potentially enabling stored XSS. An iframe like <iframe src="https://legit.com" title="test" onload="malicious()" srcdoc="<script>...</script>"> would pass validation while containing executable code.
| url: value, | ||
| iframeAttributes: [], | ||
| } ); | ||
| } |
There was a problem hiding this comment.
Editing URL field silently clears extracted iframe attributes
Medium Severity
When a user pastes iframe code, the URL is extracted and displayed in the Source field while iframeAttributes (like allowfullscreen, allow, etc.) are stored separately. If the user then edits the URL field to fix a typo or update it, parseIframeCode returns null (since it's now just a URL, not iframe code), and the else branch sets iframeAttributes: []. This silently discards all previously extracted custom attributes without any indication to the user. The attributes should be preserved when editing just the URL.
Release 1.1.0
Note
Introduces iframe HTML parsing and attribute handling to improve block flexibility.
Sourcefield; extractssrcandtitle, strips inner HTML, and stores remaining attributes iniframeAttributesedit.jsandsave.jsviaconvertAttributesToProps()with React prop name mapping and boolean attribute supportsrc/blockparty-iframe/utils.jsprovidingparseIframeCode(),convertAttributesToProps(),mapHtmlAttributeToReact(),isBooleanAttribute(), andisExcludedIframeAttribute().po/.pot/.json) and new npm scripts (make-pot,make-json)aspect-ratio: 1andmin-height: unset1.1.0; minor project/config updates (.wp-env.json, metadata)Written by Cursor Bugbot for commit d4553f0. This will update automatically on new commits. Configure here.