Closed GoogleCodeExporter closed 9 years ago
sample iframe (I think it's because the iframe isn't immediately closed):
<iframe width="560" height="315" src="//www.youtube.com/embed/xHUQ5C_yMo4"
frameborder="0" allowfullscreen></iframe> <p>ss</p>
Original comment by mga2...@gmail.com
on 30 Nov 2013 at 2:34
If you just add "iframe" to the tag whitelist, all you're whitelisting is
<iframe></iframe>
If you want to be able to have attributes, you have to explicitly allow any
combination you want (look at how it's done with images for an example).
Like every sanitizer should, this one disallows everything by default.
Original comment by b...@stackoverflow.com
on 30 Nov 2013 at 8:39
Original issue reported on code.google.com by
mga2...@gmail.com
on 30 Nov 2013 at 2:31