iframes can now be whitelisted through the allowed_iframes Site Setting. It accepts a list of iframe src domain prefixes that discourse can safely allow in posts. The whitelist-iframe plugin is no longer required.
What I have done is make a plugin that calls the Discourse.Markdown.whiteListIframe function. The plugin is very simple, The hard part is that you have to supply regular expressions to match any URLs you want to white-list. The code is here. https://github.com/scossar/whitelist-iframe
You can test any URLs you wish to whitelist in your web browser’s console window. For example, if you open the browser’s console from a Discourse forum and then enter the following line, you should be able to embed iframes from Freesound.
Yes, I based it off the source that @BCHK supplied and it works. Maybe the regular expression I am using is too specific though. Would there be any risk in just using this?
IMHO not any moreso than the other, They both end in “one or more anything characters”
i.e. It’s the “anything” that opens up the potential for problems, eg. If it is known that they always end with digits, I’d add that in.
Not that the problem would necessarily be a security risk. I think if someone posted a bad URL it would result in a broken link either way. Only difference is the onebox wouldn’t try with a bad URL
Are you able to install plugins? If so, it is here: https://github.com/scossar/whitelist-iframe
Right now I am just hardcoding urls into the plugin. It currently works for SoundCloud, FreeSound and now New York Times video. That’s not an ideal way to do it. It could probably be set up to allow acceptable urls to be added through the admin section.
Hello, We need max width and length for iframe. What we can do, to realize this?
I have found this, but I’m not sure. I’m newbie in JS.
Somebody can help me?
Just learning to install plugins into Discourse. I got the plugin installed and it works! Now… How do you find the file in Digital Ocean so I can hardcode a new domain to whitelist? /var/discourse/plugins doesn’t exist…
To find the file on Digital Ocean, ssh into your droplet and then run:
$ cd /var/discourse $ ./launcher enter app $ cd var/www/discourse/plugins
The problem with changing things that way is that your changes will be overwritten every time you update Discourse. The right way to do it is to update the plugin file that is in the repository on github and then run launcher rebuild app in your droplet.
You can do that by cloning my repository on github and making the changes you want in your cloned version. You then need to change the url that you have added to the app.yml file so that it pulls from your new repository. If this isn’t clear, just let me know
I can also just add the domain you want to whitelist to the plugin file that is in my repository.