FEATURE: allowed_iframes site setting for allowing iframes

This allows you to whitelist custom iframes if needed in posts

app/assets/javascripts/pretty-text/pretty-text.js.es6

@@ -62,6 +62,7 @@ export function buildOptions(state) {
     lookupImageUrls,
     censoredWords,
     allowedHrefSchemes: siteSettings.allowed_href_schemes ? siteSettings.allowed_href_schemes.split('|') : null,
+    allowedIframes: (siteSettings.allowed_iframes || '').split('|'),
     markdownIt: true,
     previewing
   };

app/assets/javascripts/pretty-text/sanitizer.js.es6

@@ -1,7 +1,5 @@
 import xss from 'pretty-text/xss';
 
-const _validIframes = [];
-
 function attr(name, value) {
   if (value) {
     return `${name}="${xss.escapeAttrValue(value)}"`;
@@ -69,7 +67,8 @@ export function sanitize(text, whiteLister) {
   text = text.replace(/<([^A-Za-z\/\!]|$)/g, "&lt;$1");
 
   const whiteList = whiteLister.getWhiteList(),
-        allowedHrefSchemes = whiteLister.getAllowedHrefSchemes();
+        allowedHrefSchemes = whiteLister.getAllowedHrefSchemes(),
+        allowedIframes = whiteLister.getAllowedIframes();
   let extraHrefMatchers = null;
 
   if (allowedHrefSchemes && allowedHrefSchemes.length > 0) {
@@ -85,11 +84,13 @@ export function sanitize(text, whiteLister) {
       const forTag = whiteList.attrList[tag];
       if (forTag) {
         const forAttr = forTag[name];
-        if ((forAttr && (forAttr.indexOf('*') !== -1 || forAttr.indexOf(value) !== -1)) ||
+        if (
+            (forAttr && (forAttr.indexOf('*') !== -1 || forAttr.indexOf(value) !== -1)) ||
             (name.indexOf('data-') === 0 && forTag['data-*']) ||
             ((tag === 'a' && name === 'href') && hrefAllowed(value, extraHrefMatchers)) ||
             (tag === 'img' && name === 'src' && (/^data:image.*$/i.test(value) || hrefAllowed(value, extraHrefMatchers))) ||
-            (tag === 'iframe' && name === 'src' && _validIframes.some(i => i.test(value)))) {
+            (tag === 'iframe' && name === 'src' && allowedIframes.some(i => { return value.toLowerCase().indexOf((i || '').toLowerCase()) === 0;}))
+        ) {
           return attr(name, value);
         }
 
@@ -114,10 +115,3 @@ export function sanitize(text, whiteLister) {
                .replace(/&#39;/g, "'")
                .replace(/ \/>/g, '>');
 };
-
-export function whiteListIframe(regexp) {
-  _validIframes.push(regexp);
-}
-
-whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i);
-whiteListIframe(/^(https?:)?\/\/www\.openstreetmap\.org\/export\/embed.html\?.+/i);

app/assets/javascripts/pretty-text/white-lister.js.es6

@@ -9,6 +9,7 @@ export default class WhiteLister {
 
     this._enabled = { "default": true };
     this._allowedHrefSchemes =  (options && options.allowedHrefSchemes) || [];
+    this._allowedIframes = (options && options.allowedIframes) || [];
     this._rawFeatures = [["default", DEFAULT_LIST]];
 
     this._cache = null;
@@ -102,6 +103,10 @@ export default class WhiteLister {
   getAllowedHrefSchemes() {
     return this._allowedHrefSchemes;
   }
+
+  getAllowedIframes() {
+    return this._allowedIframes;
+  }
 }
 
 // Only add to `default` when you always want your whitelist to occur. In other words,

config/locales/server.en.yml

@@ -1058,6 +1058,7 @@ en:
     use_admin_ip_whitelist: "Admins can only log in if they are at an IP address defined in the Screened IPs list (Admin > Logs > Screened Ips)."
     blacklist_ip_blocks: "A list of private IP blocks that should never be crawled by Discourse"
     whitelist_internal_hosts: "A list of internal hosts that discourse can safely crawl for oneboxing and other purposes"
+    allowed_iframes: "A list of iframe src domain prefixes that discourse can safely allow in posts"
     top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
     post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
     post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."

config/site_settings.yml

@@ -940,6 +940,10 @@ security:
   whitelist_internal_hosts:
     default: ''
     type: list
+  allowed_iframes:
+    default: 'https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?'
+    type: list
+    client: true
 
 onebox:
   enable_flash_video_onebox: false

spec/components/pretty_text_spec.rb

@@ -1104,4 +1104,24 @@ HTML
 
   end
 
+  it "can properly whitelist iframes" do
+    SiteSetting.allowed_iframes = "https://bob.com/a|http://silly.com?EMBED="
+    raw = <<~IFRAMES
+      <iframe src='https://www.google.com/maps/Embed?testing'></iframe>
+      <iframe src='https://bob.com/a?testing'></iframe>
+      <iframe src='HTTP://SILLY.COM?EMBED=111'></iframe>
+    IFRAMES
+
+    # we require explicit HTTPS here
+    html = <<~IFRAMES
+      <iframe src="https://bob.com/a?testing"></iframe>
+      <iframe src="HTTP://SILLY.COM?EMBED=111"></iframe>
+    IFRAMES
+
+    cooked = PrettyText.cook(raw).strip
+
+    expect(cooked).to eq(html.strip)
+
+  end
+
 end