Allow youtube and vimeo videos in iframes (OWASP sanitizer rules)

b2906aba · Matija Obreza · edb4cacf · b2906aba
Commit b2906aba authored Dec 01, 2015 by Matija Obreza
--- a/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java
+++ b/src/main/java/org/genesys2/server/service/impl/OWASPSanitizer.java
@@ -54,9 +54,17 @@ public class OWASPSanitizer implements HtmlSanitizer {
 			.allowAttributes("align")
 			.matching(true, "center", "left", "right", "justify", "char")
 			.onElements("p", "table")
+			// Iframe attributes
+			.allowAttributes("width", "height", "frameborder", "webkitallowfullscreen", "mozallowfullscreen", "allowfullscreen")
+			.onElements("iframe")
+			// Iframe sources: vimeo and youtube 
+			.allowAttributes("src")
+			.matching(Pattern.compile("^((https:)?//player\\.vimeo\\.com/|(https:)?//www\\.youtube\\.com/).+"))
+			.onElements("iframe")
+			
 			// Elements
 			.allowElements("table", "thead", "tbody", "tr", "td", "th", "tfoot", "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul",
-					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code")
+					"ol", "li", "h1", "h2", "h3", "h4", "small", "pre", "code", "iframe")

 			// Get factory
 			.toFactory();