Skip to content

feat: implement HTML and URL sanitization with secure iframe and doma…#876

Merged
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
extolkom:fix/720-dompurify-iframe-allowlist
Jun 30, 2026
Merged

feat: implement HTML and URL sanitization with secure iframe and doma…#876
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
extolkom:fix/720-dompurify-iframe-allowlist

Conversation

@extolkom

Copy link
Copy Markdown
Contributor

closes #720

Summary
src/utils/sanitize.ts previously added IFRAME to DOMPurify's ADD_TAGS along with allowfullscreen and data-youtube-video to ADD_ATTR, with no restriction on the iframe's src. This allowed injection of iframes pointing to arbitrary origins, opening the door to clickjacking and cross-origin data exfiltration despite the feature only being intended for YouTube embeds.
Changes

Added a DOMPurify afterSanitizeAttributes hook that inspects every iframe[src] and validates it against an explicit domain allowlist, currently https://www.youtube-nocookie.com only.
Any iframe whose src doesn't match the allowlist has its src stripped (or the node removed), so non-YouTube iframes can no longer render.
Removed the generic allowfullscreen attribute from ADD_ATTR; it's now only permitted on iframes that pass the YouTube-nocookie validation in the hook, rather than on any iframe DOMPurify lets through.
Added a unit test asserting that an iframe with a non-YouTube src (e.g. an attacker-controlled origin) has its src stripped after sanitization.

Why
The previous allowlist trusted the tag/attribute combination without verifying the actual destination, so any HTML containing an <iframe src="https://evil.example"> with the allowed attributes would sanitize cleanly and render. Pinning to youtube-nocookie.com closes that gap while preserving the intended embed functionality.
Testing
Added/ran unit tests covering: a valid youtube-nocookie.com iframe renders unchanged with allowfullscreen intact, a non-YouTube iframe src is stripped, and a few XSS-style payloads in the src attribute are neutralized. Manually verified an existing YouTube embed in the app still renders and plays correctly.
Acceptance criteria met

✅ DOMPurify strips iframes with non-allowlisted sources
✅ YouTube nocookie embeds render correctly
✅ XSS payloads in iframe src attributes are neutralized

…in filtering along with associated tests and snapshots
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@extolkom Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Thank you for contributing to the project.

@RUKAYAT-CODER RUKAYAT-CODER merged commit 2abd705 into rinafcode:main Jun 30, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] DOMPurify allowlist permits <iframe> and data-youtube-video — XSS via embedded frames

2 participants