From 79c5b8fac2668fbaad54c35cebbdc1916a4b51a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=98=D0=B2=D0=B0=D0=BD?= <contact.wani4ka@gmail.com>
Date: Sun, 13 Sep 2020 20:55:32 +0300
Subject: [PATCH] fix: security html module removes allow attribute from
 iframes (#2354)

* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes
* Apply suggestions from code review
fix: remove deprecated attributes for iframe in secure html module

Co-authored-by: Nicolas Giard <github@ngpixel.com>
---
 server/modules/rendering/html-security/renderer.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/modules/rendering/html-security/renderer.js b/server/modules/rendering/html-security/renderer.js
index b3233824..3bf9b2dc 100644
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@@ -29,6 +29,7 @@ module.exports = {
 
       if (config.allowIFrames) {
         allowedTags.push('iframe')
+        allowedAttrs.push('allow')
       }
 
       input = DOMPurify.sanitize(input, {