From 7d4a1955193e105b911811a1653acf109f156e5b Mon Sep 17 00:00:00 2001
From: dzaikos <you@example.com>
Date: Mon, 2 Jul 2018 03:16:27 -0400
Subject: [PATCH] Sandbox iframes when sanitizing.
Updated iframe unit tests.
Refactored sanitizer.getExtraAttributes() to use `switch` instead of multiple `if` statements.
---
reader/sanitizer/sanitizer.go | 13 +++++++------
reader/sanitizer/sanitizer_test.go | 12 ++++++------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/reader/sanitizer/sanitizer.go b/reader/sanitizer/sanitizer.go
index 2a0a2af3..f13681b3 100644
--- a/reader/sanitizer/sanitizer.go
+++ b/reader/sanitizer/sanitizer.go
@@ -131,15 +131,16 @@ func sanitizeAttributes(baseURL, tagName string, attributes []html.Attribute) ([
}
func getExtraAttributes(tagName string) ([]string, []string) {
- if tagName == "a" {
+ switch tagName {
+ case "a":
return []string{"rel", "target", "referrerpolicy"}, []string{`rel="noopener noreferrer"`, `target="_blank"`, `referrerpolicy="no-referrer"`}
- }
-
- if tagName == "video" || tagName == "audio" {
+ case "video", "audio":
return []string{"controls"}, []string{"controls"}
+ case "iframe":
+ return []string{"sandbox"}, []string{`sandbox="allow-scripts allow-same-origin"`}
+ default:
+ return nil, nil
}
-
- return nil, nil
}
func isValidTag(tagName string) bool {
diff --git a/reader/sanitizer/sanitizer_test.go b/reader/sanitizer/sanitizer_test.go
index 374c107c..fab493a0 100644
--- a/reader/sanitizer/sanitizer_test.go
+++ b/reader/sanitizer/sanitizer_test.go
@@ -165,7 +165,7 @@ func TestEspaceAttributes(t *testing.T) {
func TestReplaceYoutubeURL(t *testing.T) {
input := `<iframe src="http://www.youtube.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent"></iframe>`
- expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent"></iframe>`
+ expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent" sandbox="allow-scripts allow-same-origin"></iframe>`
output := Sanitize("http://example.org/", input)
if expected != output {
@@ -175,7 +175,7 @@ func TestReplaceYoutubeURL(t *testing.T) {
func TestReplaceSecureYoutubeURL(t *testing.T) {
input := `<iframe src="https://www.youtube.com/embed/test123"></iframe>`
- expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123"></iframe>`
+ expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123" sandbox="allow-scripts allow-same-origin"></iframe>`
output := Sanitize("http://example.org/", input)
if expected != output {
@@ -185,7 +185,7 @@ func TestReplaceSecureYoutubeURL(t *testing.T) {
func TestReplaceSecureYoutubeURLWithParameters(t *testing.T) {
input := `<iframe src="https://www.youtube.com/embed/test123?rel=0&controls=0"></iframe>`
- expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0"></iframe>`
+ expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin"></iframe>`
output := Sanitize("http://example.org/", input)
if expected != output {
@@ -194,8 +194,8 @@ func TestReplaceSecureYoutubeURLWithParameters(t *testing.T) {
}
func TestReplaceYoutubeURLAlreadyReplaced(t *testing.T) {
- input := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0"></iframe>`
- expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0"></iframe>`
+ input := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin"></iframe>`
+ expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin"></iframe>`
output := Sanitize("http://example.org/", input)
if expected != output {
@@ -205,7 +205,7 @@ func TestReplaceYoutubeURLAlreadyReplaced(t *testing.T) {
func TestReplaceIframeURL(t *testing.T) {
input := `<iframe src="https://player.vimeo.com/video/123456?title=0&byline=0"></iframe>`
- expected := `<iframe src="https://player.vimeo.com/video/123456?title=0&byline=0"></iframe>`
+ expected := `<iframe src="https://player.vimeo.com/video/123456?title=0&byline=0" sandbox="allow-scripts allow-same-origin"></iframe>`
output := Sanitize("http://example.org/", input)
if expected != output {
--
GitLab