Concerns about embedded html and iframe

Hi,

I’m investigating possibility to use ghost for a community web page. I saw there is possibility to embed in a post a html container.

Is it possible to forbid/allow to embed html only for certain users? Some posts will be imported from an external source. Is it possible to deactivate embedded html to be rendered for such posts or should I manually cleanup text body before importing?

I’m not very experienced with web, but I heard many scary things about embedding html into blogs, iframes.

Sure, if only I would post on my web page, the embbeded html make me more flexible. But if any people will post, is it good?

Thanks

Georg

The easiest solution is probably to set the roles of your users to Contributor so they can’t publish any posts. I don’t know whether or not this prevents them from making edits to a post of theirs after the post has already been published.

If you wanted them to be able to publish their own articles, I could perhaps see a solution where you set a custom routes.yml rule where all posts of a given author are rendered using a specific template that includes a script that will find and delete all embeds.

Anything beyond this will probably require a modification to the core ghost files and I doubt you want to go that far.

You’re generally right to be concerned about allowing anyone to embed whatever they want, however I think you’re probably best served by restricting roles and having a trusted user review every post before publishing. There’s a lot of damage that could be done using javascript as well and unless you want to turn it off entirely (and lose a lot of potential functionality in the process) which would be more difficult to protect against.