apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

iframe src attribute not allowed in some browsers when iframe options set

mattclough1 opened this issue · comments

To Reproduce

Step by step instructions to reproduce the behavior:

  1. Open a console in Chrome or Firefox
  2. Paste new URL('//cdn.iframe.ly', 'relative://relative-site/1/')
  3. Inspect the returned object's values
  4. Note hostname is an empty string
  5. Repeat steps 1–3 in Safari
  6. Note that hostname is now cdn.iframe.ly

Expected behavior

sanitize-html, when either allowedIframeHostnames or allowedIframeDomains option is set, should allow a url such as //cdn.iframe.ly as the src attribute for an iframe

Describe the bug

When either allowedIframeHostnames or allowedIframeDomains option is set, sanitize-html attempts to set the variable allowed to a truthy value by using the parsed URL's hostname or domain, then deleting the src attribute if allowed is not a truthy value. In Chrome and Firefox, some URLs may be disallowed if these options are set due to hostname being an empty string.

Details

Additional context:
Tested Browsers:
Chrome 94.0.4606.81
Safari 15.0 (16612.1.29.41.4, 16612)
Firefox 93.0