Properly handle "loading" and "sandbox" attributes of iframes

2026-01-05 09:41:40 +09:00 · 2023-12-12 19:05:40 +09:00 · 2023-12-12 19:05:40 +09:00 · b344bbfb26
commit b344bbfb26
parent b299dd02dc
2 changed files with 40 additions and 0 deletions
--- a/common/framework/filters/HTMLFilter.php
+++ b/common/framework/filters/HTMLFilter.php
@ -38,6 +38,23 @@ class HTMLFilter
 		'web-share' => true,
 	);

+	/**
+	 * Sandbox values for iframes.
+	 */
+	protected static $_iframe_sandbox = array(
+		'allow-downloads' => true,
+		'allow-forms' => true,
+		'allow-modals' => true,
+		'allow-orientation-lock' => true,
+		'allow-pointer-lock' => true,
+		'allow-popups' => true,
+		'allow-presentation' => true,
+		'allow-same-origin' => true,
+		'allow-scripts' => true,
+		'allow-top-navigation' => true,
+
+	);
+
 	/**
 	 * List of tags where data-* attributes are allowed.
 	 */
@ -327,7 +344,9 @@ class HTMLFilter
 		$def->addAttribute('img', 'srcset', 'Text');
 		$def->addAttribute('iframe', 'allow', 'Text');
 		$def->addAttribute('iframe', 'allowfullscreen', 'Bool');
+		$def->addAttribute('iframe', 'loading', 'Enum#eager,lazy');
 		$def->addAttribute('iframe', 'referrerpolicy', 'Enum#no-referrer,no-referrer-when-downgrade,origin,origin-when-cross-origin,same-origin,strict-origin,strict-origin-when-cross-origin,unsafe-url');
+		$def->addAttribute('iframe', 'sandbox', 'Text');

 		// Support contenteditable="false" (#1710)
 		$def->addAttribute('div', 'contenteditable', 'Enum#false');
@ -553,6 +572,19 @@ class HTMLFilter
 			return 'allow="' . implode('; ', $result) . '"';
 		}, $content);

+		// Remove "sandbox" attributes that should not be allowed.
+		$content = preg_replace_callback('!(?<=\s)sandbox="([^"<>]*?)"!i', function($matches) {
+			$result = [];
+			foreach (array_map('trim', preg_split('/\s+/', $matches[1])) as $value)
+			{
+				if (isset(self::$_iframe_sandbox[$value]))
+				{
+					$result[] = $value;
+				}
+			}
+			return 'sandbox="' . implode(' ', $result) . '"';
+		}, $content);
+
 		// Remove object and embed URLs that are not allowed.
 		$whitelist = MediaFilter::getWhitelistRegex();
 		$content = preg_replace_callback('!<(object|embed|param|audio|video|source|track)([^>]+)>!i', function($matches) use($whitelist) {
--- a/tests/unit/framework/filters/HTMLFilterTest.php
+++ b/tests/unit/framework/filters/HTMLFilterTest.php
@ -130,6 +130,14 @@ class HTMLFilterTest extends \Codeception\Test\Unit
 		$target = '<iframe src="https://www.youtube.com/" referrerpolicy="no-referrer"></iframe>';
 		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));

+		$source = '<iframe src="https://www.youtube.com/" loading="lazy" sandbox="allow-presentation allow-scripts  allow-whatever"></iframe>';
+		$target = '<iframe src="https://www.youtube.com/" loading="lazy" sandbox="allow-presentation allow-scripts"></iframe>';
+		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
+
+		$source = '<iframe src="https://www.youtube.com/" loading="invalid" sandbox=" "></iframe>';
+		$target = '<iframe src="https://www.youtube.com/" sandbox=""></iframe>';
+		$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
+
 		$source = '<object type="application/x-shockwave-flash" width="640px" height="360px" align="middle" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10,3,0,0">' .
 			'<param name="movie" value="http://videofarm.daum.net/controller/player/VodPlayer.swf" />' .
 			'<param name="allowScriptAccess" value="always" />' .