From 0781f28ca6e8ac9fe9a2ebf0707db7952a148b5e Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 18 Dec 2020 01:17:49 -0500 Subject: [PATCH] Allow support for allowlisted iframe sources in Content\text\BBCode::convert - Support Youtube, Vimeo and unused local embeds --- src/Content/Text/BBCode.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index e41511f5a..2563194f2 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -1876,6 +1876,14 @@ class BBCode $config = \HTMLPurifier_HTML5Config::createDefault(); $config->set('HTML.Doctype', 'HTML5'); + $config->set('HTML.SafeIframe', true); + $config->set('URI.SafeIframeRegexp', '%^(?: + https://www.youtube.com/embed/ + | + https://player.vimeo.com/video/ + | + ' . DI::baseUrl() . '/oembed/ # Has to change with the source in Content\Oembed::iframe + )%xi'); $config->set('Attr.AllowedRel', [ 'noreferrer' => true, 'noopener' => true,