Skip to content

Sandboxing for iFrames #659

Answered by BoDonkey
carolinaisslaying asked this question in Q&A
Discussion options

You must be logged in to vote

Howdy,
You should be able to accomplish this with transformations.
https://github.com/apostrophecms/sanitize-html?tab=readme-ov-file#transformations
Just keep the iframe tag -

const dirty = '<iframe src="http://www.youtube.com/embed/1234"></iframe>';

const clean = sanitizeHtml(dirty, {
  allowedTags: ['iframe'],
  allowedAttributes: {
    iframe: ['src', 'sandbox']
  },
  transformTags: {
    iframe: function (tagName, attribs) {
      attribs.sandbox = 'allow-forms allow-popups';
      return {
        tagName: 'iframe',
        attribs: attribs
      };
    }
  }
});

This will let you do other sanitization at the same time. You might be able to just use simpleTransform instead.
Cheers,

Replies: 1 comment 1 reply

Comment options

You must be logged in to vote
1 reply
@carolinaisslaying
Comment options

Answer selected by carolinaisslaying
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants