Skip to content

AO3-7342 Update embed sanitizer to new Allow syntax #5646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
not-varram wants to merge 2 commits into
base: master
Choose a base branch
from
Open

AO3-7342 Update embed sanitizer to new Allow syntax #5646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c1cc43
AO3-7342 Update embed sanitizer to new Allow syntax
not-varram Mar 18, 2026
867e5d3
fix issues with rubocop
not-varram Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion lib/otw_sanitize/embed_sanitizer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ def sanitize_embed
allowfullscreen height src type width
] + optional_embed_attributes,
"iframe" => %w[
allowfullscreen frameborder height src title
allow allowfullscreen frameborder height src title
class type width
]
}
Expand All @@ -171,6 +171,7 @@ class type width
disable_scripts(node)
node["flashvars"] = "" unless allows_flashvars?
end
restrict_iframe_allow_attribute if node_name == "iframe"
{ node_allowlist: [node] }
end

Expand All @@ -185,6 +186,18 @@ def disable_scripts(embed_node)
end
end

# Restrict the iframe "allow" attribute to only the "fullscreen" directive.
# Removes the attribute entirely if "fullscreen" is not present.
def restrict_iframe_allow_attribute
return if node["allow"].blank?

if node["allow"].split(/[\s;,]+/).include?("fullscreen")
node["allow"] = "fullscreen"
else
node.remove_attribute("allow")
end
end

def optional_embed_attributes
if allows_flashvars?
%w[wmode flashvars]
Expand Down
25 changes: 25 additions & 0 deletions spec/lib/html_cleaner_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,31 @@ def one_cell_table(content)
expect(result).to be_empty
end

it "keeps allow=\"fullscreen\" on iframes from allowed sources" do
html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="fullscreen" frameborder="0"></iframe>'
result = sanitize_value(field, html)
expect(result).to include('allow="fullscreen"')
end

it "restricts allow attribute to just fullscreen" do
html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="fullscreen; autoplay" frameborder="0"></iframe>'
result = sanitize_value(field, html)
expect(result).to include('allow="fullscreen"')
expect(result).not_to include("autoplay")
end

it "strips allow attribute if it does not include fullscreen" do
html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allow="autoplay" frameborder="0"></iframe>'
result = sanitize_value(field, html)
expect(result).not_to include("allow=")
end

it "keeps legacy allowfullscreen on iframes" do
html = '<iframe width="560" height="315" src="//vimeo.com/embed/123" allowfullscreen frameborder="0"></iframe>'
result = sanitize_value(field, html)
expect(result).to include("allowfullscreen")
end

%w[criticalcommons.org].each do |source|
it "doesn't convert src to https for #{source}" do
html = '<iframe width="560" height="315" src="http://' + source + '/embed/123" frameborder="0"></iframe>'
Expand Down
Loading