TextPanel: Allow iframes (after sanitization) (#92299)

* Allow iframes in text panel

* add more attributes

* remove =true

packages/grafana-data/src/text/sanitize.test.ts

@@ -19,7 +19,14 @@ describe('sanitizeUrl', () => {
   });
 });
 
-// write test to sanitize xss payloads using the sanitize function
+describe('sanitizeIframe', () => {
+  it('should sanitize iframe tags', () => {
+    const html = '<iframe src="javascript:alert(document.domain)"></iframe>';
+    const str = sanitizeTextPanelContent(html);
+    expect(str).toBe('<iframe src="about:blank" sandbox credentialless referrerpolicy=no-referrer></iframe>');
+  });
+});
+
 describe('sanitize', () => {
   it('should sanitize xss payload', () => {
     const html = '<script>alert(1)</script>';

packages/grafana-data/src/text/sanitize.ts

@@ -7,7 +7,20 @@ const XSSWL = Object.keys(xss.whiteList).reduce<xss.IWhiteList>((acc, element) =
   return acc;
 }, {});
 
+// Add iframe tags to XSSWL.
+// We don't allow the sandbox attribute, since it can be overridden, instead we add it below.
+XSSWL.iframe = ['src', 'width', 'height'];
+
 const sanitizeTextPanelWhitelist = new xss.FilterXSS({
+  // Add sandbox attribute to iframe tags if an attribute is allowed.
+  onTagAttr: function (tag, name, value, isWhiteAttr) {
+    if (tag === 'iframe') {
+      return isWhiteAttr
+        ? ` ${name}="${xss.escapeAttrValue(sanitizeUrl(value))}" sandbox credentialless referrerpolicy=no-referrer`
+        : '';
+    }
+    return;
+  },
   whiteList: XSSWL,
   css: {
     whiteList: {