iframe src attribute not allowed in some browsers when iframe options set
mattclough1 opened this issue · comments
To Reproduce
Step by step instructions to reproduce the behavior:
- Open a console in Chrome or Firefox
- Paste
new URL('//cdn.iframe.ly', 'relative://relative-site/1/')
- Inspect the returned object's values
- Note
hostname
is an empty string - Repeat steps 1–3 in Safari
- Note that
hostname
is nowcdn.iframe.ly
Expected behavior
sanitize-html, when either allowedIframeHostnames
or allowedIframeDomains
option is set, should allow a url such as //cdn.iframe.ly
as the src attribute for an iframe
Describe the bug
When either allowedIframeHostnames
or allowedIframeDomains
option is set, sanitize-html attempts to set the variable allowed
to a truthy value by using the parsed URL's hostname or domain, then deleting the src
attribute if allowed
is not a truthy value. In Chrome and Firefox, some URLs may be disallowed if these options are set due to hostname
being an empty string.
Details
Additional context:
Tested Browsers:
Chrome 94.0.4606.81
Safari 15.0 (16612.1.29.41.4, 16612)
Firefox 93.0