Skip to content
Browse files

feature: Configurable iFrame Whitelist

This adds a new feature called iFrame Whitelist that offers the ability to
configure what domains you want to be whitelisted for iFrames used in the
system. Basically, if you want to insert an iFrame in the system you'll have
to whitelist the domain first. If you insert an iFrame with a
non-whitelisted domain the system will remove the iFrame upon saving. This
keeps current functionality where by default the system allows YouTube,
Vimeo, and Daily Motion.
  • Loading branch information...
JediKev committed Oct 28, 2019
1 parent 2330f47 commit 44200e5d468a12673ce12bc2e2c4cc9cfccaa322
@@ -452,6 +452,12 @@ function getAllowIframes() {
return str_replace(array(', ', ','), array(' ', ' '), $this->get('allow_iframes')) ?: "'self'";
function getIframeWhitelist() {
$whitelist = array_filter(explode(',', str_replace(' ', '', $this->get('embedded_domain_whitelist'))));
return !empty($whitelist) ? $whitelist : null;
function getACL() {
if (!($acl = $this->get('acl')))
return null;
@@ -1185,6 +1191,7 @@ function updateSystemSettings($vars, &$errors) {
$f['default_dept_id']=array('type'=>'int', 'required'=>1, 'error'=>__('Default Department is required'));
$f['autolock_minutes']=array('type'=>'int', 'required'=>1, 'error'=>__('Enter lock time in minutes'));
$f['allow_iframes']=array('type'=>'cs-url', 'required'=>0, 'error'=>__('Enter comma separated list of urls'));
$f['embedded_domain_whitelist']=array('type'=>'cs-domain', 'required'=>0, 'error'=>__('Enter comma separated list of domains'));
$f['acl']=array('type'=>'ipaddr', 'required'=>0, 'error'=>__('Enter comma separated list of IP addresses'));
//Date & Time Options
$f['time_format']=array('type'=>'string', 'required'=>1, 'error'=>__('Time format is required'));
@@ -1258,6 +1265,7 @@ function updateSystemSettings($vars, &$errors) {
'enable_richtext' => isset($vars['enable_richtext']) ? 1 : 0,
'files_req_auth' => isset($vars['files_req_auth']) ? 1 : 0,
'allow_iframes' => Format::sanitize($vars['allow_iframes']),
'embedded_domain_whitelist' => Format::sanitize($vars['embedded_domain_whitelist']),
'acl' => Format::sanitize($vars['acl']),
'acl_backend' => Format::sanitize((int) $vars['acl_backend']) ?: 0,
@@ -290,6 +290,7 @@ static function __html_cleanup($el, $attributes=0) {
function safe_html($html, $options=array()) {
global $cfg;
$options = array_merge(array(
// Balance html tags
@@ -326,11 +327,17 @@ function safe_html($html, $options=array()) {
'deny_attribute' => 'id',
'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; src: cid, http, https, data',
'hook_tag' => function($e, $a=0) { return Format::__html_cleanup($e, $a); },
'elements' => '*+iframe',
'spec' =>
'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?(youtube|dailymotion|vimeo|player.vimeo)\.com/`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen',
// iFrame Whitelist
$whitelist = $cfg->getIframeWhitelist();
if (!empty($whitelist)) {
$config['elements'] = '*+iframe';
$config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
.implode('|', $whitelist)
.')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
return Format::html($html, $config);
@@ -123,6 +123,14 @@ function validate($source,$userinput=true){
if(!is_numeric($this->input[$k]) || (strlen($this->input[$k])!=5))
case 'cs-domain': // Comma separated list of domains
if($values=explode(',', $this->input[$k]))
foreach($values as $v)
case 'cs-url': // Comma separated list of urls
if($values=explode(',', $this->input[$k]))
foreach($values as $v)
@@ -135,6 +135,21 @@ acl:
<td>Applies ACL to only Staff Panel and Admin Panel.</td></tr>
title: Embedded Domain Whitelist
content: >
Enter a comma separated list of domains to be whitelisted for iFrames used
in the system. Do not input <code>http(s)</code> or <code>www</code> with
the domain; only the domain name will be accepted. This is used when you
would like to embed content in the system (eg. YouTube video) via Client
Portal, Knowledgebase, etc. If you add an iFrame with a non-whitelisted
domain, the system will remove the iFrame automatically. By default the
system allows YouTube, Vimeo, DailyMotion, and Microsoft Stream.
domain.tld, sub.domain.tld
# Date and time options
title: Date &amp; Time Options
@@ -142,6 +142,18 @@
<?php } ?>
<td><?php echo __('Embedded Domain Whitelist'); ?>:</td>
<td><input type="text" size="40" name="embedded_domain_whitelist"
value="<?php echo $config['embedded_domain_whitelist']; ?>"
placeholder="eg. domain.tld, sub.domain.tld">
<i class="help-tip icon-question-sign" href="#embedded_domain_whitelist"></i>
<?php if ($errors['embedded_domain_whitelist']) { ?>
<font class="error">&nbsp;<?php echo $errors['embedded_domain_whitelist']; ?></font>
<?php } ?>
<td><?php echo __('ACL'); ?>:</td>
<td><input type="text" size="40" name="acl" value="<?php echo $config['acl']; ?>"

0 comments on commit 44200e5

Please sign in to comment.
You can’t perform that action at this time.