Am I not allowed to embed youtube videos in course About page? (iframes being stripped)

I find that students don’t notice the course introduction video embedded in the upper right corner of my course About pages. So I’d like to make it prominently displayed in the main body of the course description. However, when I add the below YouTube-recommended embedding code to the About page HTML, it doesn’t show up. Any idea why it doesn’t show up?

<iframe width="560" height="315" src="https://www.youtube.com/embed/3_yD_cEKoCk?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

Your browser’s developer console (the F12 tools) should provide some kind of error message like “iframe blocked due to CSP” or something. Hard to say what’s going on without that information.

(Also confirm using the devtools’ HTML Inspector that the iframe embedding code is actually there, and hasn’t been stripped out.)

Here’s what I put in the Course Overview for the class:

But here’s what shows up in the source code when I look at the developer console in Chrome:

Basically the iframe code seems to be straight up missing?

Ah, OK. So maybe the platform is stripping out “unsafe” HTML. I’m not sure what the options are here.

FWIW this appears to still behave this way in Nutmeg. Anyone have any idea how to get around it?

I have a found the case of this and have just submited a fix for it (and another minor issue). fix: course about page html rendering by ghassanmas · Pull Request #30853 · openedx/edx-platform · GitHub

The problem was the content would be renderd clean_dangerous_html however when I changed with HTML, the iframe was shown.
I am not 100% sure this the correct fix, you could the follow the PR I linked above until we get a review.

Excellent find! I will apply this to my fork of edx-platform that has the other fixes I’m waiting on.

I suspect this may not be an acceptable fix for everyone, because I can imagine that perhaps some platforms are treating their instructors as untrusted, and thus don’t want them inserting HTML that may be dangerous to students…(although if that’s true I’m wondering whether normal HTML units are similarly filtered?). However on our platform the instructors are treated as trusted, and thus we’re not worried about them injecting malicious HTML.

I was exactly thinking about that and I am not sure as wel whether, there is a census if this would be classfied as okay (i.e. convience role over secuirty) or not (security is more important than convenience).

I will try to bring this topic up to relevant stackholder, or lets see how the review goes.