		@@ -283,2 +283,3 @@ 'use strict';
		if (name === 'iframe' && a === 'src') {
		var allowed = true;
		try {
		@@ -288,13 +289,16 @@ // naughtyHref is in charge of whether protocol relative URLs
		parsed = url.parse(value, false, true);
		if (options.allowedIframeHostnames) {
		var whitelistedHostnames = options.allowedIframeHostnames.find(function (hostname) {
		var isRelativeUrl = parsed && parsed.host === null && parsed.protocol === null;
		if (isRelativeUrl) {
		// default value of allowIframeRelativeUrls is true unless allowIframeHostnames specified
		allowed = has(options, "allowIframeRelativeUrls") ? options.allowIframeRelativeUrls : !options.allowedIframeHostnames;
		} else if (options.allowedIframeHostnames) {
		allowed = options.allowedIframeHostnames.find(function (hostname) {
		return hostname === parsed.hostname;
		});
		if (!whitelistedHostnames) {
		delete frame.attribs[a];
		return;
		}
		}
		} catch (e) {
		// Unparseable iframe src
		allowed = false;
		}
		if (!allowed) {
		delete frame.attribs[a];
		@@ -301,0 +305,0 @@ return;

package.json

		{
		"name": "sanitize-html",
		"version": "1.18.5",
		"version": "1.19.0",
		"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "main": "dist/index.js",

README.md

		@@ -331,2 +331,10 @@ # sanitize-html

		You may also specify whether or not to allow relative URLs as iframe sources.

		```javascript
		allowIframeRelativeUrls: true
		```

		Note that if unspecified, relative URLs will be allowed by default if no hostname filter is provided but removed by default if a hostname filter is provided.

		Remember that the `iframe` tag must be allowed as well as the `src` attribute.
		@@ -484,2 +492,6 @@

		1.19.0:

		* New `allowIframeRelativeUrls` option. It defaults to `true` unless `allowedIframeHostnames` is present, in which case it defaults to false, for backwards compatibility with existing behavior in both cases; however you can now set the option explicitly to allow both certain hostnames and relative URLs. Thanks to Rick Martin.

		1.18.5:
		@@ -486,0 +498,0 @@

src/index.js

		@@ -243,2 +243,3 @@ var htmlparser = require('htmlparser2');
		if (name === 'iframe' && a === 'src') {
		var allowed = true;
		try {
		@@ -248,13 +249,17 @@ // naughtyHref is in charge of whether protocol relative URLs
		parsed = url.parse(value, false, true);
		if (options.allowedIframeHostnames) {
		var whitelistedHostnames = options.allowedIframeHostnames.find(function(hostname) {
		var isRelativeUrl = parsed && parsed.host === null && parsed.protocol === null;
		if (isRelativeUrl) {
		// default value of allowIframeRelativeUrls is true unless allowIframeHostnames specified
		allowed = has(options, "allowIframeRelativeUrls") ?
		options.allowIframeRelativeUrls : !options.allowedIframeHostnames;
		} else if (options.allowedIframeHostnames) {
		allowed = options.allowedIframeHostnames.find(function (hostname) {
		return hostname === parsed.hostname;
		});
		if (!whitelistedHostnames) {
		delete frame.attribs[a];
		return;
		}
		}
		} catch (e) {
		// Unparseable iframe src
		allowed = false;
		}
		if (!allowed) {
		delete frame.attribs[a];
		@@ -261,0 +266,0 @@ return;

test/test.js

		@@ -659,3 +659,3 @@ var assert = require("assert");
		});
		it('Should remove iframe src urls that are not inlcuded in whitelisted hostnames', function() {
		it('Should remove iframe src urls that are not included in whitelisted hostnames', function() {
		assert.equal(
		@@ -686,3 +686,3 @@ sanitizeHtml('<iframe src="https://www.embed.vevo.com/USUV71704255"></iframe>', {
		});
		it('Should allow relative URLs for iframes', function() {
		it('Should allow relative URLs for iframes by default', function() {
		assert.equal(
		@@ -695,2 +695,39 @@ sanitizeHtml('<iframe src="/foo"></iframe>', {
		});
		it('Should allow relative URLs for iframes', function() {
		assert.equal(
		sanitizeHtml('<iframe src="/foo"></iframe>', {
		allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
		allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
		allowIframeRelativeUrls: true,
		}), '<iframe src="/foo"></iframe>'
		);
		});
		it('Should remove relative URLs for iframes', function() {
		assert.equal(
		sanitizeHtml('<iframe src="/foo"></iframe>', {
		allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
		allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
		allowIframeRelativeUrls: false,
		}), '<iframe></iframe>'
		);
		});
		it('Should remove relative URLs for iframes when whitelisted hostnames specified', function() {
		assert.equal(
		sanitizeHtml('<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>', {
		allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
		allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
		allowedIframeHostnames: ['www.youtube.com']
		}), '<iframe></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>'
		);
		});
		it('Should allow relative and whitelisted hostname URLs for iframes', function() {
		assert.equal(
		sanitizeHtml('<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>', {
		allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
		allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
		allowIframeRelativeUrls: true,
		allowedIframeHostnames: ['www.youtube.com']
		}), '<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>'
		);
		});
		it('Should allow protocol-relative URLs for the right domain for iframes', function() {
		@@ -697,0 +734,0 @@ assert.equal(

dist/sanitize-html.js

Sorry, the diff of this file is too big to display

dist/sanitize-html.min.js

Sorry, the diff of this file is too big to display

sanitize-html - npm Package Compare versions

Improved metrics