Am I not allowed to embed youtube videos in course About page? (iframes being stripped)

I find that students don’t notice the course introduction video embedded in the upper right corner of my course About pages. So I’d like to make it prominently displayed in the main body of the course description. However, when I add the below YouTube-recommended embedding code to the About page HTML, it doesn’t show up. Any idea why it doesn’t show up?

<iframe width="560" height="315" src="" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

Your browser’s developer console (the F12 tools) should provide some kind of error message like “iframe blocked due to CSP” or something. Hard to say what’s going on without that information.

(Also confirm using the devtools’ HTML Inspector that the iframe embedding code is actually there, and hasn’t been stripped out.)

Here’s what I put in the Course Overview for the class:

But here’s what shows up in the source code when I look at the developer console in Chrome:

Basically the iframe code seems to be straight up missing?

Ah, OK. So maybe the platform is stripping out “unsafe” HTML. I’m not sure what the options are here.

FWIW this appears to still behave this way in Nutmeg. Anyone have any idea how to get around it?

I have a found the case of this and have just submited a fix for it (and another minor issue). fix: course about page html rendering by ghassanmas · Pull Request #30853 · openedx/edx-platform · GitHub

The problem was the content would be renderd clean_dangerous_html however when I changed with HTML, the iframe was shown.
I am not 100% sure this the correct fix, you could the follow the PR I linked above until we get a review.

Excellent find! I will apply this to my fork of edx-platform that has the other fixes I’m waiting on.

I suspect this may not be an acceptable fix for everyone, because I can imagine that perhaps some platforms are treating their instructors as untrusted, and thus don’t want them inserting HTML that may be dangerous to students…(although if that’s true I’m wondering whether normal HTML units are similarly filtered?). However on our platform the instructors are treated as trusted, and thus we’re not worried about them injecting malicious HTML.

I was exactly thinking about that and I am not sure as wel whether, there is a census if this would be classfied as okay (i.e. convience role over secuirty) or not (security is more important than convenience).

I will try to bring this topic up to relevant stackholder, or lets see how the review goes.

So I noticed the pull request got rejected, but I decided to go ahead and try this anyway. Long story short, after a couple weeks I noticed that my capability to generate grade reports had broken, and I couldn’t figure our why, since I didn’t think I had done any new major or breaking changes to the platform! I only figured this out by reverting my repository back to the version before this change, and then reports started working again.

So a warning to others, don’t attempt to use this patch as-is!

I guess in the future it will require the more complicated change to clean_dangerous_html which I don’t know how to do. @ghassan do you know how to do that? If so, I can test it on Nutmeg (which I’ll be upgrading to Olive soon.)

@Rohan I am sorry to hear about that, and actually, a bit surprised how a change to course_about.html broke the grading report!

In any case yes the PR was rejected and the suggested alternative outlined in this comment. It would take time to dig into it.

If you are in a rush for an urgent fix I am happy to do that as a consultant ( Note: I am one of the official provider of Open edX platform.