Allow support for allowlisted iframe sources in Content\text\BBCode::convert

- Support Youtube, Vimeo and unused local embeds

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index e41511f5a37f7be446e0bba1f14b7a84c9c367c7..2563194f2ce3dc91e485c025d3c4b742244020fe 100644 (file)
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1876,6 +1876,14 @@ class BBCode
 
                $config = \HTMLPurifier_HTML5Config::createDefault();
                $config->set('HTML.Doctype', 'HTML5');
+               $config->set('HTML.SafeIframe', true);
+               $config->set('URI.SafeIframeRegexp', '%^(?:
+                       https://www.youtube.com/embed/
+                       |
+                       https://player.vimeo.com/video/
+                       |
+                       ' . DI::baseUrl() . '/oembed/ # Has to change with the source in Content\Oembed::iframe
+               )%xi');
                $config->set('Attr.AllowedRel', [
                        'noreferrer' => true,
                        'noopener' => true,