feat: Add option for safe iframe hosts using array lookup (#423)

Co-authored-by: Edward Z. Yang <[email protected]>
ezyang · Nov 10, 2024 · b5cbf0c · b5cbf0c
1 parent f16ace7
commit b5cbf0c
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 6 deletions.
diff --git a/configdoc/usage.xml b/configdoc/usage.xml
@@ -608,4 +608,9 @@
    <line>35</line>
   </file>
  </directive>
+ <directive id="URI.SafeIframeHosts">
+  <file name="HTMLPurifier/URIFilter/SafeIframe.php">
+   <line>67</line>
+  </file>
+ </directive>
 </usage>
diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser
diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
@@ -6,7 +6,7 @@ DEFAULT: false
 <p>
     Whether or not to permit iframe tags in untrusted documents.  This
     directive must be accompanied by a whitelist of permitted iframes,
-    such as %URI.SafeIframeRegexp, otherwise it will fatally error.
+    such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
     This directive has no effect on strict doctypes, as iframes are not
     valid.
 </p>

diff --git a/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt b/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt
@@ -0,0 +1,14 @@
+URI.SafeIframeHosts
+TYPE: lookup/null
+DEFAULT: null
+--DESCRIPTION--
+<p>
+    A whitelist which indicates what explicit hosts should be
+    allowed to embed iframe.  See also %HTML.SafeIframeRegexp,
+    it has precedence over this config. Here are some example values:
+</p>
+<ul>
+    <li><code>www.youtube.com</code> - Allow YouTube videos</li>
+    <li><code>maps.google.com</code> - Allow Embedding a Google map</li>
+</ul>
+--# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/URIFilter/SafeIframe.php b/library/HTMLPurifier/URIFilter/SafeIframe.php
@@ -57,11 +57,12 @@ public function filter(&$uri, $config, $context)
             return true;
         }
         // check if we actually have some whitelists enabled
-        if ($this->regexp === null) {
-            return false;
+        if ($this->regexp !== null) {
+            return preg_match($this->regexp, $uri->toString());
         }
-        // actually check the whitelists
-        return preg_match($this->regexp, $uri->toString());
+        // check if the host is in a whitelist for safe iframe hosts
+        $safeHosts = $config->get('URI.SafeIframeHosts');
+        return $safeHosts !== null && isset($safeHosts[$uri->host]);
     }
 }
 

diff --git a/tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt b/tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt
@@ -0,0 +1,8 @@
+--INI--
+HTML.SafeIframe = true
+URI.SafeIframeHosts = www.youtube.com
+--HTML--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
+--EXPECT--
+<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
+--# vim: et sw=4 sts=4
diff --git a/tests/HTMLPurifier/Injector/RemoveEmptyTest.php b/tests/HTMLPurifier/Injector/RemoveEmptyTest.php
@@ -115,6 +115,12 @@ public function testRemoveDisallowedIframe()
         $this->assertResult('<iframe src="http://google.com"></iframe>', '');
     }
 
+    public function testRemoveDisallowedIframeDeniedByHostsList()
+    {
+        $this->config->set('HTML.SafeIframe', true);
+        $this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
+        $this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
+    }
 }
 
 // vim: et sw=4 sts=4