Fix iframe

aguingand · aguingand · commit bafa8c41be46 · 2025-08-07T14:20:02.000+02:00
diff --git a/src/Utils/Sanitization/FormatsSanitizedValue.php b/src/Utils/Sanitization/FormatsSanitizedValue.php
@@ -41,7 +41,25 @@ private function sanitizer(): HtmlSanitizer
     {
         $config = (new HtmlSanitizerConfig())
             ->allowSafeElements()
-            ->allowElement('iframe')
+            ->allowElement('iframe', [
+                'allow',
+                'allowfullscreen',
+                'loading',
+                'name',
+                'referrerpolicy',
+                'sandbox',
+                'src',
+                'srcdoc',
+                'width',
+                'height',
+                'id',
+                'title',
+                'aria-label',
+                'frameborder',
+                'marginwidth',
+                'marginheight',
+                'scrolling',
+            ])
             ->allowRelativeLinks()
             ->allowRelativeMedias()
             ->allowElement('div', ['data-encoded-content'])
diff --git a/tests/Unit/Form/Fields/Formatters/EditorFormatterTest.php b/tests/Unit/Form/Fields/Formatters/EditorFormatterTest.php
@@ -355,22 +355,26 @@
 it('sanitizes HTML content from front by default', function () {
     $value = <<<'HTML'
         This is unwanted:
-        1_<script>alert('XSS')</script>
-        2_<img src="xss.jpg" onload="alert('XSS')">
+        <script>alert('XSS')</script>
+        <img src="javascript:alert('XSS')" onload="alert('XSS')">
+        <iframe src="javascript:alert('XSS')" onerror="alert('XSS')"></iframe>
         This is wanted:
-        1_<x-embed data-key="0"></x-embed>
-        2_<x-sharp-file data-key="0"></x-sharp-file>
-        3_<div data-html-content="true"><script></script></div>
+        <x-embed data-key="0"></x-embed>
+        <x-sharp-file data-key="0"></x-sharp-file>
+        <div data-html-content="true"><script></script></div>
+        <iframe src="/test" allow="fullscreen" allowfullscreen width="50" height="50" frameborder="0" scrolling="false"></iframe>
         HTML;
 
     $expected = <<<'HTML'
         This is unwanted:
-        1_
-        2_<img src="xss.jpg">
+
+        <img>
+        <iframe></iframe>
         This is wanted:
-        1_<x-embed></x-embed>
-        2_<x-sharp-file file="[]"></x-sharp-file>
-        3_<div data-html-content="true"><script></script></div>
+        <x-embed></x-embed>
+        <x-sharp-file file="[]"></x-sharp-file>
+        <div data-html-content="true"><script></script></div>
+        <iframe src="/test" allow="fullscreen" allowfullscreen width="50" height="50" frameborder="0" scrolling="false"></iframe>
         HTML;
 
     expect(
