Strip iframe height and width?

(Vikhyat Korrapati) #1

It looks like the iframe src attribute is already stripped, but the height and width isn’t which can lead to problems like the second post in this thread:

Considering that the src is removed, does it make sense to allow iframes at all? Also, perhaps it makes sense to have a limit on the maximum value of the height and width attribute of all elements? I have not tested it, but I am guessing the same thing should be possible with other elements as well, such as images.

(Régis Hanol) #2

Just pushed a fix that will remove any iframe that isn’t whitelisted (right now, only Google Maps iframes are allowed).

Image dimensions are already taken care of.

(Régis Hanol) #5

This topic was automatically closed after 1 day. New replies are no longer allowed.