how do I make angular-sanitize not remove iframe tags from html

Question

I am using textangular which uses angular-sanitize to parse html.

I am trying to embed videos with iframe tags, but these get removed when textangular calls angular-sanitize to parsehtml.

How should I change angular sanitize to allow iframe tags with for e.g. links to youtube videos?

Or how else should I embed videos in my html?

Answer 1

This is how I did it.

textAngular is using a separate sanitize js file, textAngular-sanitize.min.js.

Even though it is minified, open it up, and you will find groups of tags; look for this :

A=b.extend({},x,e("address,article,aside,blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5,h6,header,hgroup,hr,ins,map,menu,nav,ol,pre,script,section,table,ul"))

And just add the iframe tag

A=b.extend({},x,e("address,article,aside,blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5,h6,header,hgroup,hr,iframe,ins,map,menu,nav,ol,pre,script,section,table,ul"))

I kept it in alpha order.

This makes it "safe", problem solved.

Answer 2

One option might be to change the text before you sanitize it, then change it back afterwards. Something like:

var text = 'some text <iframe></iframe> some more text';
text = text.replace('<iframe', '[[iframe');
text = text.replace('</iframe>', '[[/iframe]]');
text = sanitize(text);
text = text.replace('[[iframe', '<iframe');
text = text.replace('[[/iframe]]', '</iframe>');

But by doing that you're opening up yourself for attacks when embedding YouTube videos with an iframe. What you should do is come up with some internal BBCode which you replace just before printing it out. That is, you let your users pass something like [youtube video_id=ZZZ] which you replace with an iframe after you've sanitized it.