lib/onebox/sanitize_config.rb in onebox-2.0.2 vs lib/onebox/sanitize_config.rb in onebox-2.1.0

- old
+ new

@@ -10,11 +10,11 @@ attributes: { 'a' => RELAXED[:attributes]['a'] + %w(target), 'audio' => %w[controls], 'embed' => %w[height src type width], - 'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href], + 'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src], 'source' => %w[src type], 'video' => %w[controls height loop width autoplay muted poster controlslist playsinline], 'path' => %w[d], 'svg' => ['aria-hidden', 'width', 'height', 'viewbox'], 'div' => [:data], # any data-* attributes, @@ -36,9 +36,25 @@ a_tag['href'] ||= '#' if a_tag['href'] =~ %r{^(?:[a-z]+:)?//} a_tag['rel'] = 'nofollow ugc noopener' else a_tag.remove_attribute('target') + end + end, + + lambda do |env| + next unless env[:node_name] == 'iframe' + + iframe = env[:node] + allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/] + + allowed = allowed_regexes.any? { |r| iframe["src"] =~ r } + + if !allowed + # add a data attribute with the blocked src. This is not required + # but makes it much easier to troubleshoot onebox issues + iframe["data-unsanitized-src"] = iframe["src"] + iframe.remove_attribute("src") end end ], protocols: {