Skip to content

Commit

Permalink
fix(amp-iframe): correctly sanitize certain iframe attributes
Browse files Browse the repository at this point in the history 
Fix sanitization of the allowfullscreen, allowtransparency, frameborder, and scrolling properties on
iframe elements

Fixes #126
  • Loading branch information
@jbhannah
jbhannah committed Feb 26, 2020
1 parent df736aa commit 6eead72
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 3 deletions.
26 changes: 25 additions & 1 deletion lib/amperize.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ Amperize.prototype.traverse = async function traverse(data, html, done) {
return enter();
}

var youtubeId = element.attribs.src.match(/^.*(youtu.be\/|youtube(-nocookie)?.com\/(v\/|.*u\/\w\/|embed\/|.*v=))([\w-]{11}).*/)
var youtubeId = element.attribs.src.match(/^.*(youtu.be\/|youtube(-nocookie)?.com\/(v\/|.*u\/\w\/|embed\/|.*v=))([\w-]{11}).*/);
useSecureSchema(element);

if (youtubeId) {
Expand All @@ -312,6 +312,30 @@ Amperize.prototype.traverse = async function traverse(data, html, done) {
element.attribs.sandbox = !element.attribs.sandbox ? self.config['amp-iframe'].sandbox : element.attribs.sandbox;
}

if (element.attribs.hasOwnProperty('frameborder')) {
element.attribs.frameborder = element.attribs.frameborder === '0' ? '0' : '1';
}

if (element.attribs.hasOwnProperty('scrolling')) {
element.attribs.scrolling = element.attribs.scrolling === '0' ? '0' : '1';
}

if (element.attribs.hasOwnProperty('allowfullscreen')) {
if (element.attribs.allowfullscreen === 'false') {
delete element.attribs.allowfullscreen;
} else {
element.attribs.allowfullscreen = '';
}
}

if (element.attribs.hasOwnProperty('allowtransparency')) {
if (element.attribs.allowtransparency === 'false') {
delete element.attribs.allowtransparency;
} else {
element.attribs.allowtransparency = '';
}
}

if (!element.attribs.width || !element.attribs.height || !element.attribs.layout) {
element.attribs.width = !element.attribs.width ? self.config['amp-iframe'].width : element.attribs.width;
element.attribs.height = !element.attribs.height ? self.config['amp-iframe'].height : element.attribs.height;
Expand Down
112 changes: 110 additions & 2 deletions test/amperize.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ describe('Amperize', function () {
width: 600,
height: 400
},
'request_timeout': 3000
request_timeout: 3000
});
});

Expand Down Expand Up @@ -364,6 +364,114 @@ describe('Amperize', function () {
});
});

it('transforms <iframe> with frameborder=0 to preserve frameborder=0', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" frameborder="0"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('frameborder="0"');
done();
});
});

it('transforms <iframe> with frameborder=1 to preserve frameborder=1', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" frameborder="1"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('frameborder="1"');
done();
});
});

it('transforms <iframe> with frameborder to frameborder=1', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" frameborder></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('frameborder="1"');
done();
});
});

it('transforms <iframe> with scrolling=0 to preserve scrolling=0', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" scrolling="0"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('scrolling="0"');
done();
});
});

it('transforms <iframe> with scrolling=1 to preserve scrolling=1', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" scrolling="1"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('scrolling="1"');
done();
});
});

it('transforms <iframe> with scrolling to scrolling=1', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" scrolling></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('scrolling="1"');
done();
});
});

it('transforms <iframe> with allowfullscreen to allowfullscreen=""', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowfullscreen=""></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('allowfullscreen=""');
done();
});
});

it('transforms <iframe> with allowfullscreen="true" to allowfullscreen=""', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowfullscreen="true"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('allowfullscreen=""');
done();
});
});

it('transforms <iframe> with allowfullscreen="false" to remove allowfullscreen', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowfullscreen="false"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.not.contain('allowfullscreen');
done();
});
});

it('transforms <iframe> with allowtransparency to allowtransparency=""', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowtransparency></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('allowtransparency=""');
done();
});
});

it('transforms <iframe> with allowtransparency="true" to allowtransparency=""', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowtransparency="true"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.contain('allowtransparency=""');
done();
});
});

it('transforms <iframe> with allowtransparency="false" to remove allowtransparency', function (done) {
amperize.parse('<iframe src="https://giphy.com/embed/3oEduKP4VaUxJvLwuA" allowtransparency="false"></iframe>', function (error, result) {
expect(result).to.exist;
expect(result).to.contain('<amp-iframe');
expect(result).to.not.contain('allowtransparency');
done();
});
});

it('transforms <iframe> with youtube URL to <amp-youtube></amp-youtube>', function (done) {
amperize.parse('<iframe src="https://www.youtube.com/embed/HMQkV5cTuoY" height="400"></iframe>', function (error, result) {
expect(result).to.exist;
Expand Down Expand Up @@ -516,7 +624,7 @@ describe('Amperize', function () {
expect(result).to.contain('</amp-audio>');
done();
});
})
});

it('can handle redirects', function (done) {
var secondImageSizeMock;
Expand Down

0 comments on commit 6eead72

Please sign in to comment.