add: sanitize src urls for embeds as well

shreya-kamble · shreya-kamble · commit b2cd96a81796 · 2025-01-09T18:37:14.000+05:30
diff --git a/README.md b/README.md
@@ -161,6 +161,7 @@ On the other hand, the `customTextWrapper` parser function provides the followin
 -   `child`: The HTML string that specifies the child element
 -   `value`: The value passed against the child element
 
+
 You can use the following customized JSON RTE Serializer code to convert your JSON RTE field data into HTML format.
 
 ```javascript
@@ -230,6 +231,60 @@ The resulting HTML data will look as follows:
 ```HTML
 <p><social-embed url="https://twitter.com/Contentstack/status/1508911909038436365?cxt=HHwWmsC9-d_Y3fApAAAA"></social-embed></p><p>This <color data-color="red">is</color> text.</p>
 ```
+<br>
+<br>
+
+##### <p>You can pass the option `skipURLSanitization` as true to bypass the validation checks and sanitization for the src URLs of JSON element types - social embed and embed.</p>
+<div>By default, this option is set to false.</div>
+
+#### Examples:
+
+ 1. For the following JSON, with src url containing script tags
+ ```JSON 
+    {
+        "type": "doc",
+        "attrs": {},
+        "children": [
+            {
+                "type": "social-embeds",
+                "attrs": {
+                    "src": "https://www.youtube.com/watch?v=Gw7EqoOYC9A\"></iframe><script>alert(document.cookie)</script><iframe ",
+                    "width": 560,
+                    "height": 320
+                },
+            }
+        ]
+  }
+```
+The resulting HTML:
+```HTML
+<iframe src="https://www.youtube.com/watch?v=Gw7EqoOYC9A" width="560" height="320" data-type="social-embeds" ></iframe>
+```    
+
+2. For any JSON containing src urls violating expected protocols, the src attribute will be removed when converted to HTML
+
+ ```JSON  
+  {
+      "type": "doc",
+      "attrs": {},
+      "children": [
+          {
+              "type": "social-embeds",
+              "attrs": {
+                  "src": "www.youtube.com/watch?v=Gw7EqoOYC9A\">",
+                  "width": 560,
+                  "height": 320
+              },
+          }
+      ]
+  }
+```
+The resulting HTML:
+```HTML
+<iframe width="560" height="320" data-type="social-embeds" ></iframe>
+```  
+
+<br>
 
 ### Convert HTML to JSON
 
diff --git a/src/toRedactor.tsx b/src/toRedactor.tsx
@@ -495,7 +495,7 @@ export const toRedactor = (jsonValue: any,options?:IJsonToHtmlOptions) : string
         figureStyles.fieldsEdited.push(figureStyles.caption)
       }
     
-      if (!options?.skipURLSanitization && jsonValue['type'] === 'social-embeds') {
+      if (!options?.skipURLSanitization && (jsonValue['type'] === 'social-embeds' || jsonValue['type'] === 'embed')) {
         const sanitizedHTML = DOMPurify.sanitize(allattrs['src']);
   
         const urlMatch = sanitizedHTML.match(/https?:\/\/[^\s"'<>()]+/);
diff --git a/test/expectedJson.ts b/test/expectedJson.ts
@@ -2002,9 +2002,9 @@ export default {
     },
     "RT-360":{  
         "html": [
-            `<iframe src="https://www.youtube.com/watch?v=Gw7EqoOYC9A" width="560" height="320" data-type="social-embeds" ></iframe>`,
-            `<iframe width="560" height="320" data-type="social-embeds" ></iframe>`,
-            '<iframe width="560" height="320" data-type="social-embeds" ></iframe>',
+            `<iframe src="https://www.youtube.com/watch?v=Gw7EqoOYC9A" width="560" height="320" data-type="social-embeds" ></iframe><iframe allowfullscreen=\"true\" src=\"https://www.youtube.com/watch?v=Gw7EqoOYC9A\"></iframe>`,
+            `<iframe width="560" height="320" data-type="social-embeds" ></iframe><iframe allowfullscreen=\"true\"></iframe>`,
+            '<iframe width="560" height="320" data-type="social-embeds" ></iframe><iframe allowfullscreen=\"true\"></iframe>',
         ],
         "json": 
         [
@@ -2026,6 +2026,24 @@ export default {
                                 "text": ""
                             }
                         ]
+                    },
+                    {
+                        "uid": "d3c2ab78a5e547b082f95dc01123b0c1",
+                        "type": "doc",
+                        "_version": 11,
+                        "attrs": {},
+                        "children": [
+                            {
+                                "uid": "87fed1cc68ce435caa0f71d17788c618",
+                                "type": "embed",
+                                "attrs": {
+                                    "src": "https://www.youtube.com/watch?v=Gw7EqoOYC9A\"></iframe><script>alert(document.cookie)</script><iframe ",
+                                    "redactor-attributes": {
+                                        "allowfullscreen": true
+                                    }
+                                }
+                            }
+                        ]
                     }
                 ],
                 "_version": 1
@@ -2048,7 +2066,25 @@ export default {
                         "text": ""
                       }
                     ]
-                  }
+                  },
+                  {
+                    "uid": "d3c2ab78a5e547b082f95dc01123b0c1",
+                    "type": "doc",
+                    "_version": 11,
+                    "attrs": {},
+                    "children": [
+                        {
+                            "uid": "87fed1cc68ce435caa0f71d17788c618",
+                            "type": "embed",
+                            "attrs": {
+                                "src": null,
+                                "redactor-attributes": {
+                                    "allowfullscreen": true
+                                }
+                            }
+                        }
+                    ]
+                }
                 ],
                 "_version": 1
             },
@@ -2070,7 +2106,25 @@ export default {
                         "text": ""
                       }
                     ]
-                  }
+                  },
+                  {
+                    "uid": "d3c2ab78a5e547b082f95dc01123b0c1",
+                    "type": "doc",
+                    "_version": 11,
+                    "attrs": {},
+                    "children": [
+                        {
+                            "uid": "87fed1cc68ce435caa0f71d17788c618",
+                            "type": "embed",
+                            "attrs": {
+                                "src": "www.youtube.com/embed/VD6xJq8NguY",
+                                "redactor-attributes": {
+                                    "allowfullscreen": true
+                                }
+                            }
+                        }
+                    ]
+                }
                 ],
                 "_version": 1
             }

Original file line number	Diff line number	Diff line change
`@@ -495,7 +495,7 @@ export const toRedactor = (jsonValue: any,options?:IJsonToHtmlOptions) : string`
`495`	`495`	`figureStyles.fieldsEdited.push(figureStyles.caption)`
`496`	`496`	`}`
`497`	`497`
`498`		`- if (!options?.skipURLSanitization && jsonValue['type'] === 'social-embeds') {`
	`498`	`+ if (!options?.skipURLSanitization && (jsonValue['type'] === 'social-embeds' \|\| jsonValue['type'] === 'embed')) {`
`499`	`499`	`const sanitizedHTML = DOMPurify.sanitize(allattrs['src']);`
`500`	`500`
`501`	`501`	`const urlMatch = sanitizedHTML.match(/https?:\/\/[^\s"'<>()]+/);`