lib/onebox/sanitize_config.rb in onebox-2.0.2 vs lib/onebox/sanitize_config.rb in onebox-2.1.0
- old
+ new
@@ -10,11 +10,11 @@
attributes: {
'a' => RELAXED[:attributes]['a'] + %w(target),
'audio' => %w[controls],
'embed' => %w[height src type width],
- 'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href],
+ 'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src],
'source' => %w[src type],
'video' => %w[controls height loop width autoplay muted poster controlslist playsinline],
'path' => %w[d],
'svg' => ['aria-hidden', 'width', 'height', 'viewbox'],
'div' => [:data], # any data-* attributes,
@@ -36,9 +36,25 @@
a_tag['href'] ||= '#'
if a_tag['href'] =~ %r{^(?:[a-z]+:)?//}
a_tag['rel'] = 'nofollow ugc noopener'
else
a_tag.remove_attribute('target')
+ end
+ end,
+
+ lambda do |env|
+ next unless env[:node_name] == 'iframe'
+
+ iframe = env[:node]
+ allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/]
+
+ allowed = allowed_regexes.any? { |r| iframe["src"] =~ r }
+
+ if !allowed
+ # add a data attribute with the blocked src. This is not required
+ # but makes it much easier to troubleshoot onebox issues
+ iframe["data-unsanitized-src"] = iframe["src"]
+ iframe.remove_attribute("src")
end
end
],
protocols: {