search

extractus / oembed-extractor

Extract oEmbed data from given webpage
https://extractor-demos.pages.dev/oembed-extractor
MIT License
104 stars 44 forks source link

apply arbitrary attributes to the embedded iframe #147

Closed dJani97 closed 2 years ago

dJani97 commented 2 years ago

Hi!

I was wondering if there is any easy way to apply the sandbox attribute to the embedded iframes, for security reasons.

Is there an existing way to do this, or would it be possible to extend the API?

It could look like this:

await extract(url, {
  maxwidth: this.maxWidth,
  maxheight: this.maxHeight,
  iframeAttributes: {
    sandbox: 'allow-scripts',
  },
});

Then, the returned HTML would look something like this:

<iframe sandbox="allow-scripts" src="..."></iframe>
ndaidong commented 2 years ago

@dJani97 hello, sorry for missing your question.

As what I understand, you can simply add any attribute to your iframe tag with DOM manipulation, after receiving it from oembed-parser, right?

Currently, this lib only supports params as an one-level object, so your example would make a query as below:

url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D8jPQjjsBbIc&format=json&maxwidth=500&maxheight=300&iframeAttributes=%5Bobject+Object%5D

However, that does not affect to the last result, because what we send is not important as what the target provider accepts and understands. I think almost if not all of them do not support this kind of params.

dJani97 commented 2 years ago

Hey, thanks for the response.

I ended up doing something like this:

const sandboxedHtml = html.replace(
  '<iframe',  
  '<iframe sandbox="allow-scripts allow-same-origin"'
);

That solves my problem. oembed-parser is a great library and covers a lot, probably my suggestion to add arbitrary attributes to the resulting HTML shouldn't be in it's scope.