CKEditor 4.21: The attribute sandbox is added automatically to iframes

Thanks, Sam.

The sandbox attribute on an iframe is intended to provide greater security for end-users by limiting the capabilities of the iframe (e.g., putting it in a sandbox). It’s not “broken” in CKEditor. LMS power users often want the ability to embed rich content from other sites. It’s difficult for all external sites to keep up with browser changes and many of these sites may not yet work in an iframe sandbox.

As always, please clear your browser cache before testing updated JS code.

Thanks Miguel. I see that it is CKEditor issue. I wonder if it is fixed in version 5 of CkEditor. We also updated to the latest 22.x update overnight and it did not fix the sandbox problem.

@Bonnie Powers I’m sorry you had issues with the sandbox attribute, I’d like to mention that the behavior was introduced by the CkEditor upgrade and it was unintended, the previous CkEditor version is affected by several security vulnerabilities and fixing them added this behavior. Once we identified the issue we provided a fix for it.

Yes, feel free to test on trunk, 23.x, or 22.x.