fix: security html module removes allow attribute from iframes (#2354)

Wani4ka · NGPixel · web-flow · commit 79c5b8fac266 · 2020-09-13T13:55:32.000-04:00
* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes
* Apply suggestions from code review
fix: remove deprecated attributes for iframe in secure html module

Co-authored-by: Nicolas Giard &lt;github@ngpixel.com&gt;
diff --git a/server/modules/rendering/html-security/renderer.js b/server/modules/rendering/html-security/renderer.js
@@ -29,6 +29,7 @@ module.exports = {
 
       if (config.allowIFrames) {
         allowedTags.push('iframe')
+        allowedAttrs.push('allow')
       }
 
       input = DOMPurify.sanitize(input, {

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ module.exports = {`
`29`	`29`
`30`	`30`	`if (config.allowIFrames) {`
`31`	`31`	`allowedTags.push('iframe')`
	`32`	`+ allowedAttrs.push('allow')`
`32`	`33`	`}`
`33`	`34`
`34`	`35`	`input = DOMPurify.sanitize(input, {`