From 0f1be65c1903299c56ef86932e02e90e5eab666a Mon Sep 17 00:00:00 2001
From: Mikhail Nelaev <spyderdfx@gmail.com>
Date: Thu, 6 Jul 2017 19:26:57 +0500
Subject: [PATCH] feature: iframe normalizer

https://jira.railsc.ru/browse/GOODS-638
---
 lib/string_tools.rb       | 24 +++++++++++++++++++++++-
 spec/string_tools_spec.rb | 11 +++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/lib/string_tools.rb b/lib/string_tools.rb
index dfdbef2..bba54a8 100644
--- a/lib/string_tools.rb
+++ b/lib/string_tools.rb
@@ -176,6 +176,9 @@ def sanitize(str, attr = {})
         attributes.merge!(attr)
         elements = attributes.keys | TAGS_WITHOUT_ATTRIBUTES
 
+        transformers = [LINK_NORMALIZER]
+        transformers << IframeNormalizer.new(attributes['iframe']) if attributes.key?('iframe')
+
         Sanitize.fragment(
           str,
           :attributes => attributes,
@@ -183,7 +186,7 @@ def sanitize(str, attr = {})
           :css => {:properties => Sanitize::Config::RELAXED[:css][:properties]},
           :remove_contents => %w(style javascript),
           :allow_comments => false,
-          :transformers => [LINK_NORMALIZER]
+          :transformers => transformers
         )
       end
     end
@@ -211,6 +214,25 @@ def normalize_link(node, attr_name)
       end
     end
 
+    class IframeNormalizer
+      def initialize(attributes)
+        @attributes = attributes
+      end
+
+      def call(env)
+        node = env[:node]
+
+        return unless node.name == 'iframe'
+
+        unless node[:src] =~ %r{^(http|https):?\/\/(www\.)?youtube?\.com\/}
+          node.unlink
+          return
+        end
+
+        Sanitize.node!(env[:node], elements: %w(iframe), attributes: {'iframe' => @attributes})
+      end
+    end
+
     LINK_NORMALIZER = LinkNormalizer.new
   end
 
diff --git a/spec/string_tools_spec.rb b/spec/string_tools_spec.rb
index db97de3..052374b 100644
--- a/spec/string_tools_spec.rb
+++ b/spec/string_tools_spec.rb
@@ -43,6 +43,17 @@
       sanitized_string = described_class.sanitize(origin_str)
       expect(sanitized_string).to eq '<span>a</span><span>z</span>'
     end
+
+    it 'removes iframes but keeps youtube' do
+      origin_str =
+        '<iframe width="20" height="10" src="https://www.dunno.com/embed/qwe" frameborder="0" allowfullscreen>' \
+        '</iframe>' \
+        '<iframe width="123" height="456" src="https://www.youtube.com/embed/abc" frameborder="0" allowfullscreen>' \
+        '</iframe>'
+      sanitized_string = described_class.sanitize(origin_str, 'iframe' => %w(src width height frameborder))
+      expect(sanitized_string).
+        to eq('<iframe width="123" height="456" src="https://www.youtube.com/embed/abc" frameborder="0"></iframe>')
+    end
   end
 
   describe '#clear_unicode_separator_characters' do