Drupal 8 and 9: How to avoid stripping of iframe tags like Google Maps and YouTube
By default, the text formatting for Drupal has internal controls for security. Text formats define how text is filtered for output and how HTML tags and other text is displayed, replaced, or removed. Please take note: improper text format configuration is a security risk. Basic text format is normally reserved for non-admins only, while the Full text format should be reserved for full administrators of the website who can use unrestricted tags including iframe tags.
Therefore, when embedding iframes such as Google Maps or YouTube videos, one should switch to Full HTML, toggle to source code view then paste and save the embed code.
To assign the same permissions and allowed html tags this time to the Basic Text formatting, for example, you wish to provide to your non-full administrators like publishers and encoders. We need to allow iframe tag in the Basic text formatting. This text format setting has an enable filter by default: Limit allowed HTML tags and correct faulty HTML, again for security purposes. To override the iframe code and tag insertion:
- Go to Text formats and editors /admin/config/content/formats
- Edit, Basic text HTML (this text formatting allowed for administrators only by default, a necessity to allow only admins to embed iframe tags which poses some security risks)
- Under Limit allowed HTML tags and correct faulty HTML > Allowed HTML tags, add the <iframe> tag to the list
If for some reason, your Drupal 8 setup is still stripping your iframe tags and code (we have experienced one template issue which strips the code from the frontend only, while iframe is visible from the backend), you may wish to try the following modules which helped us with the issue:
- CKEditor iFrame - which adds the iFrame dialog plugin to CKEditor, providing a button for inserting iframes from the toolbar
- iframes from displaying according to hostnames, where you can explicitly exclude restrictions of iframes by domain such as google.com and youtube.com
Image banner credit: Technology photo created by creativeart - www.freepik.com