OS: Windows Server 2012 R2
Java Version: 11.07
Tomcat Version: 9.0.35
Lucee Version: 126.96.36.199
Part of our application allows users to embed an <iframe into a text area that then gets saved as a blog post. The Lucee script protection is turned on and will strip the <iframe part of the markup to <invalidtag when it is saved. I understand Lucee is trying to save us from malicious users.
I can turn off form scope script protection in Lucee Administrator. But we would rather not turn protection off.
Does anyone have a suggestion for a safer way to allow users to embed videos into their blog posts? My initial thought is to accept the settings for embedding a video and then have our source code handle the embedding of the iframe rather than allowing the users to upload markup to our database.