# frozen_string_literal: true module Onebox module SanitizeConfig HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze ONEBOX ||= Sanitize::Config.freeze_config(Sanitize::Config.merge(Sanitize::Config::RELAXED, elements: Sanitize::Config::RELAXED[:elements] + %w[audio details embed iframe source video svg path], attributes: { 'a' => Sanitize::Config::RELAXED[:attributes]['a'] + %w(target), 'audio' => %w[controls controlslist], 'embed' => %w[height src type width], 'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src], 'source' => %w[src type], 'video' => %w[controls height loop width autoplay muted poster controlslist playsinline], 'path' => %w[d], 'svg' => ['aria-hidden', 'width', 'height', 'viewbox'], 'div' => [:data], # any data-* attributes, 'span' => [:data], # any data-* attributes }, add_attributes: { 'iframe' => { 'seamless' => 'seamless', 'sandbox' => 'allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox' \ ' allow-presentation', } }, transformers: (Sanitize::Config::RELAXED[:transformers] || []) + [ lambda do |env| next unless env[:node_name] == 'a' a_tag = env[:node] a_tag['href'] ||= '#' if a_tag['href'] =~ %r{^(?:[a-z]+:)?//} a_tag['rel'] = 'nofollow ugc noopener' else a_tag.remove_attribute('target') end end, lambda do |env| next unless env[:node_name] == 'iframe' iframe = env[:node] allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/] allowed = allowed_regexes.any? { |r| iframe["src"] =~ r } if !allowed # add a data attribute with the blocked src. This is not required # but makes it much easier to troubleshoot onebox issues iframe["data-unsanitized-src"] = iframe["src"] iframe.remove_attribute("src") end end ], protocols: { 'embed' => { 'src' => HTTP_PROTOCOLS }, 'iframe' => { 'src' => HTTP_PROTOCOLS }, 'source' => { 'src' => HTTP_PROTOCOLS }, }, css: { properties: Sanitize::Config::RELAXED[:css][:properties] + %w[--aspect-ratio] } )) DISCOURSE_ONEBOX ||= Sanitize::Config.freeze_config( Sanitize::Config.merge( ONEBOX, attributes: Sanitize::Config.merge( ONEBOX[:attributes], 'aside' => [:data] ) ) ) end end