Sandboxing for iFrames

[carolinaisslaying]

Kia ora,

Is it possible to require sanitise-html to add the sandbox property to iframe tags?

Thanks!

[BoDonkey]

Howdy,
You should be able to accomplish this with transformations.
https://github.com/apostrophecms/sanitize-html?tab=readme-ov-file#transformations
Just keep the iframe tag -

const dirty = '<iframe src="http://www.youtube.com/embed/1234"></iframe>';

const clean = sanitizeHtml(dirty, {
  allowedTags: ['iframe'],
  allowedAttributes: {
    iframe: ['src', 'sandbox']
  },
  transformTags: {
    iframe: function (tagName, attribs) {
      attribs.sandbox = 'allow-forms allow-popups';
      return {
        tagName: 'iframe',
        attribs: attribs
      };
    }
  }
});

This will let you do other sanitization at the same time. You might be able to just use simpleTransform instead.
Cheers,
Bob

[carolinaisslaying]

Awesome, thank you, I'll have a test of this later on and let you know how I get on!