From 374f6a4834ce9a318876bb328aab164277433305 Mon Sep 17 00:00:00 2001
From: Matija Obreza <matija.obreza@croptrust.org>
Date: Tue, 1 Dec 2015 19:08:58 +0100
Subject: [PATCH] Allow youtube and vimeo videos in iframes (OWASP sanitizer
 rules)

---
 .../genesys2/server/service/impl/OWASPSanitizer.java   | 10 +++++++++-
 src/main/resources/log4j.properties                    |  4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java b/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java
index b9cee6fde..2cf777c2e 100644
--- a/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java
+++ b/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java
@@ -54,9 +54,17 @@ public class OWASPSanitizer implements HtmlSanitizer {
 			.allowAttributes("align")
 			.matching(true, "center", "left", "right", "justify", "char")
 			.onElements("p", "table")
+			// Iframe attributes
+			.allowAttributes("width", "height", "frameborder", "webkitallowfullscreen", "mozallowfullscreen", "allowfullscreen")
+			.onElements("iframe")
+			// Iframe sources: vimeo and youtube 
+			.allowAttributes("src")
+			.matching(Pattern.compile("^((https:)?//player\\.vimeo\\.com/|(https:)?//www\\.youtube\\.com/).+"))
+			.onElements("iframe")
+			
 			// Elements
 			.allowElements("table", "thead", "tbody", "tr", "td", "th", "tfoot", "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul",
-					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code")
+					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code", "iframe")
 
 			// Get factory
 			.toFactory();
diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties
index d9b0c6958..19366dc8b 100644
--- a/src/main/resources/log4j.properties
+++ b/src/main/resources/log4j.properties
@@ -25,8 +25,8 @@ log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %t %5p %c{1}:%L - %m
 ### set log levels - for more verbose logging change 'info' to 'debug' ###
 log4j.rootLogger=warn, stdout
 
-log4j.category.org.genesys2=info
-log4j.category.org.genesys2.server.servlet.controller=debug
+#log4j.category.org.genesys2=info
+#log4j.category.org.genesys2.server.servlet.controller=debug
 log4j.category.org.hibernate.cfg.Configuration=debug
 #log4j.category.org.hibernate.search=debug
 #log4j.category.org.apache.tomcat.jdbc.pool=debug
-- 
GitLab