From 8798340d483a78e543088e34cc9ffee94f20c55e Mon Sep 17 00:00:00 2001 From: venashial Date: Mon, 23 Aug 2021 05:34:04 -0700 Subject: [PATCH] Allow Youtube through iframes + using image syntax in markdown (#294) * Allow iframes in markdown from acceptable sources * Remove Discord from allowed sources * Make youtube regex more specific * Fix prettier not wanting new line for regex * Extend image syntax to autodetect youtube links * Fix image rendering to support normal images --- plugins/compiled-markdown-directive.js | 38 ++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/plugins/compiled-markdown-directive.js b/plugins/compiled-markdown-directive.js index 5167df656..d1e905088 100644 --- a/plugins/compiled-markdown-directive.js +++ b/plugins/compiled-markdown-directive.js @@ -12,12 +12,50 @@ const options = { h4: ['id'], h5: ['id'], h6: ['id'], + iframe: ['width', 'height', 'allowfullscreen', 'frameborder'], + }, + onIgnoreTagAttr: (tag, name, value) => { + // Allow iframes from acceptable sources + if (tag === 'iframe' && name === 'src') { + const allowedSources = [ + { + regex: /^https?:\/\/(www\.)?youtube\.com\/embed\/[a-zA-Z0-9_]{11}(\?&autoplay=[0-1]{1})?$/, + remove: ['&autoplay=1'], // Prevents autoplay + }, + ] + + for (const source of allowedSources) { + if (source.regex.test(value)) { + for (const remove of source.remove) { + value = value.replace(remove, '') + } + return name + '="' + xss.escapeAttrValue(value) + '"' + } + } + } }, } const configuredXss = new xss.FilterXSS(options) const headerPrefix = 'user-defined-' +const renderer = { + image(href, text) { + if ( + /^https?:\/\/(www\.)?youtube\.com\/watch\?v=[a-zA-Z0-9_]{11}$/.test(href) + ) { + return `` + } else { + return `${text}` + } + }, +} + +marked.use({ renderer }) + function compileMarkdown(target, markdown) { target.innerHTML = configuredXss.process(marked(markdown, { headerPrefix })) }