add iframe to default elements without attributes

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.14k stars 176 forks source link

add iframe to default elements without attributes #68

Closed jtamary closed 2 years ago

jtamary commented 6 years ago

I'm not sure this is the right fix. If not please guide me :) fixes issue #66

buro9 commented 6 years ago

It works, and this is fine... but when do you ever have an iframe that has no attributes? Width? Height? Id? Src? Name?

I'm unsure whether to merge as whilst it works... I'm not sure I understand why it would need to be done as an iframe without attributes does nothing. And if you have a script that would discover the iframe in the DOM and try and do something, typically that script would fully own creating elements it needs.

buro9 commented 2 years ago

I'm going to decline this one as the question was never answered... is there ever an instance in which it is valid to have an iframe with no attributes? No example of why this should be the case has been given.