feat: Add option for safe iframe hosts using array lookup (#423)

Co-authored-by: Edward Z. Yang <ezyang@meta.com>
2024-12-21 16:01:53 +00:00 · 2024-11-09 19:02:09 -08:00 · 2024-11-09 19:02:09 -08:00 · b5cbf0cc3d
commit b5cbf0cc3d
parent f16ace76cd
7 changed files with 40 additions and 6 deletions
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -608,4 +608,9 @@
   <line>35</line>
  </file>
 </directive>
+ <directive id="URI.SafeIframeHosts">
+  <file name="HTMLPurifier/URIFilter/SafeIframe.php">
+   <line>67</line>
+  </file>
+ </directive>
 </usage>
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
@ -6,7 +6,7 @@ DEFAULT: false
 <p>
    Whether or not to permit iframe tags in untrusted documents.  This
    directive must be accompanied by a whitelist of permitted iframes,
-    such as %URI.SafeIframeRegexp, otherwise it will fatally error.
+    such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
    This directive has no effect on strict doctypes, as iframes are not
    valid.
 </p>
--- a/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt
@ -0,0 +1,14 @@
+URI.SafeIframeHosts
+TYPE: lookup/null
+DEFAULT: null
+--DESCRIPTION--
+<p>
+    A whitelist which indicates what explicit hosts should be
+    allowed to embed iframe.  See also %HTML.SafeIframeRegexp,
+    it has precedence over this config. Here are some example values:
+</p>
+<ul>
+    <li><code>www.youtube.com</code> - Allow YouTube videos</li>
+    <li><code>maps.google.com</code> - Allow Embedding a Google map</li>
+</ul>
+--# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/URIFilter/SafeIframe.php
+++ b/library/HTMLPurifier/URIFilter/SafeIframe.php
@ -57,11 +57,12 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
            return true;
        }
        // check if we actually have some whitelists enabled
-        if ($this->regexp === null) {
-            return false;
+        if ($this->regexp !== null) {
+            return preg_match($this->regexp, $uri->toString());
        }
-        // actually check the whitelists
-        return preg_match($this->regexp, $uri->toString());
+        // check if the host is in a whitelist for safe iframe hosts
+        $safeHosts = $config->get('URI.SafeIframeHosts');
+        return $safeHosts !== null && isset($safeHosts[$uri->host]);
    }
 }

--- a/tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt
+++ b/tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt
@ -0,0 +1,8 @@
+--INI--
+HTML.SafeIframe = true
+URI.SafeIframeHosts = www.youtube.com
+--HTML--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
+--EXPECT--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
+--# vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/Injector/RemoveEmptyTest.php
+++ b/tests/HTMLPurifier/Injector/RemoveEmptyTest.php
@ -115,6 +115,12 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
        $this->assertResult('<iframe src="http://google.com"></iframe>', '');
    }

+    public function testRemoveDisallowedIframeDeniedByHostsList()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
+        $this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
+    }
 }

 // vim: et sw=4 sts=4