lib/onebox/preview.rb in onebox-2.0.2 vs lib/onebox/preview.rb in onebox-2.1.0

@@ -5,14 +5,18 @@
 
     # see https://bugs.ruby-lang.org/issues/14688
     client_exception = defined?(Net::HTTPClientException) ? Net::HTTPClientException : Net::HTTPServerException
     WEB_EXCEPTIONS ||= [client_exception, OpenURI::HTTPError, Timeout::Error, Net::HTTPError, Errno::ECONNREFUSED]
 
-    def initialize(link, parameters = Onebox.options)
+    def initialize(link, options = Onebox.options)
       @url = link
-      @options = parameters
-      @engine_class = Matcher.new(@url).oneboxed
+      @options = options.dup
+
+      allowed_origins = @options[:allowed_iframe_origins] || Onebox::Engine.all_iframe_origins
+      @options[:allowed_iframe_regexes] = Engine.origins_to_regexes(allowed_origins)
+
+      @engine_class = Matcher.new(@url, @options).oneboxed
     end
 
     def to_s
       return "" unless engine
       sanitize process_html engine_html
@@ -61,10 +65,13 @@
 
       html
     end
 
     def sanitize(html)
-      Sanitize.fragment(html, @options[:sanitize_config] || Sanitize::Config::ONEBOX)
+      config = @options[:sanitize_config] || Sanitize::Config::ONEBOX
+      config = config.merge(allowed_iframe_regexes: @options[:allowed_iframe_regexes])
+
+      Sanitize.fragment(html, config)
     end
 
     def engine
       return nil unless @engine_class
       return @engine if @engine