Allow youtube and vimeo videos in iframes (OWASP sanitizer rules)

src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java

@@ -54,9 +54,17 @@ public class OWASPSanitizer implements HtmlSanitizer {
 			.allowAttributes("align")
 			.matching(true, "center", "left", "right", "justify", "char")
 			.onElements("p", "table")
+			// Iframe attributes
+			.allowAttributes("width", "height", "frameborder", "webkitallowfullscreen", "mozallowfullscreen", "allowfullscreen")
+			.onElements("iframe")
+			// Iframe sources: vimeo and youtube 
+			.allowAttributes("src")
+			.matching(Pattern.compile("^((https:)?//player\\.vimeo\\.com/|(https:)?//www\\.youtube\\.com/).+"))
+			.onElements("iframe")
+			
 			// Elements
 			.allowElements("table", "thead", "tbody", "tr", "td", "th", "tfoot", "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul",
-					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code")
+					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code", "iframe")
 
 			// Get factory
 			.toFactory();

src/main/resources/log4j.properties

@@ -25,8 +25,8 @@ log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %t %5p %c{1}:%L - %m
 ### set log levels - for more verbose logging change 'info' to 'debug' ###
 log4j.rootLogger=warn, stdout
 
-log4j.category.org.genesys2=info
-log4j.category.org.genesys2.server.servlet.controller=debug
+#log4j.category.org.genesys2=info
+#log4j.category.org.genesys2.server.servlet.controller=debug
 log4j.category.org.hibernate.cfg.Configuration=debug
 #log4j.category.org.hibernate.search=debug
 #log4j.category.org.apache.tomcat.jdbc.pool=debug