Supporting iframe embeds from different domains?

Ok I think I have it working. I had to edit the whitelist-iframe.js.es6 file manually - perhaps I was doing something wrong when I cloned the repo?

It does still only appear to work when I use and https link though.

You’re missing a backslash to escape the period in .com in both of those regular expressions. This works:


Unless you have a reason to do it, you don’t need to use iframes for SoundCloud links. They work as oneboxes, so all you need to do is copy the url into a post.

that’s weird - it shows in my repo, just not when I pasted the text into here:

Yeah I was only using the SoundCloud embed as a test to make sure I had the plugin installed right. This is my first time installing a plugin :slight_smile:

1 Like

I’m trying this out in Firefox 50.1.0, but the console returns window.Discourse.Markdown is undefined. What am I doing wrong?

I need to find the correct syntax so that I can propose it to our forum admin.

Edit: Specifically I’d like to embed this iframe:

<iframe src="" width="400" height="300">
  <p><a href="" target="_blank">See the Fairphone Community Map!</a></p>

Yes, that doesn’t work anymore. If you clone the whitelist-iframe repo and add this line to the bottom of the whitelist-iframe.js.es6 file, it should work for you:


1 Like

Thank you! It’s a pity I can’t test this in the browser anymore, without modifying anything server-side…

This doesn’t work for newer versions of Discourse.

It might be possible. I’ll try now.

1 Like

You can test the regular expression in the browser by typing this into the console:

var whiteListIframe = require('pretty-text/sanitizer').whiteListIframe;


If you’ve got the regular expression right, you’ll see the iframe in the preview window, but not in the cooked post.


Thank you, this works great here locally! You can even paste both commands into the console at once.

I added Google Books to the list using


and it works. But it’s not perfect yet because it is not strictly limited to real google TLDs, which is a security issue. With the domains included by default, this has been solved by limiting them to the .com TLD. But at least in the case of Youtube this is too narrow.

I am not a RegEx expert and was not able to figure out how to specify a list of allowed TLDs. Anyone?

Simply replacing [a-z]{2,3} with something like (com|de|org) should work :slight_smile:


Well except for many other TLDs like .community and the like…

Sorry, I don’t understand. As far as I understood, @tophee was looking for a way to restrict the fuzzy match above to a concrete list of TLDs. doesn’t appear to resolve to anything, but if @tophee wants to whitelist it anyways, adding it to the list like (com|de|org|community) should work, right?


Yes. BTW, does anyone know where to find a complete list of all TLDs used by a service such as YouTube or Google Books?

Sure just reminding people that .com isn’t the only TLD any more… there are zillions of them and I’m not just talking about either!

Hi! I’m using this plugin to embed a go board on my forum, but the iframe size is too small.
Is there any way to change its size?

You can see a test on:

The embed link is:
<iframe id="gokibitz-rkfMsvdbW" src="//" style="width: 100%; min-height: 500px; display: block; border: 10px solid snow;"></iframe> <script src="//"></script>

Yes. You can’t use a style attribute - it gets stripped out by Discourse. Also, the script tag will be stripped out. You don’t need it for displaying the iframe.

The height has to be set to a fixed number. I think the only attributes you can use are width, height, and frameborder. Try something like:

<iframe src="//"  width="100%" height="800"  frameborder="0"></iframe>

To answer my own question, here seems to be a good place to look:

Considering the length of that list, I almost think the simple fuzzy match option might actually be better that including the whole list in your regex. The most pragmatic approach is probably to pick a few TLDs based on where your membership sits and add more based on complaints. It’s really only an issue for highly international communities anyway.