fix: security html module removes allow attribute from iframes (#2354)

* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes * Apply suggestions from code review fix: remove deprecated attributes for iframe in secure html module Co-authored-by: Nicolas Giard <github@ngpixel.com>
4 years ago · 79c5b8fac2
parent 660b78d9e2
commit 79c5b8fac2
1 changed files with 1 additions and 0 deletions
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@ -29,6 +29,7 @@ module.exports = {

      if (config.allowIFrames) {
        allowedTags.push('iframe')
+        allowedAttrs.push('allow')
      }

      input = DOMPurify.sanitize(input, {