Supporting iframe embeds from different domains?

I’m trying this out in Firefox 50.1.0, but the console returns window.Discourse.Markdown is undefined. What am I doing wrong?

I need to find the correct syntax so that I can propose it to our forum admin.

Edit: Specifically I’d like to embed this iframe:

<iframe src="" width="400" height="300">
  <p><a href="" target="_blank">See the Fairphone Community Map!</a></p>

Yes, that doesn’t work anymore. If you clone the whitelist-iframe repo and add this line to the bottom of the whitelist-iframe.js.es6 file, it should work for you:


1 Like

Thank you! It’s a pity I can’t test this in the browser anymore, without modifying anything server-side…

This doesn’t work for newer versions of Discourse.

It might be possible. I’ll try now.

1 Like

You can test the regular expression in the browser by typing this into the console:

var whiteListIframe = require('pretty-text/sanitizer').whiteListIframe;


If you’ve got the regular expression right, you’ll see the iframe in the preview window, but not in the cooked post.


Thank you, this works great here locally! You can even paste both commands into the console at once.

I added Google Books to the list using


and it works. But it’s not perfect yet because it is not strictly limited to real google TLDs, which is a security issue. With the domains included by default, this has been solved by limiting them to the .com TLD. But at least in the case of Youtube this is too narrow.

I am not a RegEx expert and was not able to figure out how to specify a list of allowed TLDs. Anyone?

Simply replacing [a-z]{2,3} with something like (com|de|org) should work :slight_smile:


Well except for many other TLDs like .community and the like…

Sorry, I don’t understand. As far as I understood, @tophee was looking for a way to restrict the fuzzy match above to a concrete list of TLDs. doesn’t appear to resolve to anything, but if @tophee wants to whitelist it anyways, adding it to the list like (com|de|org|community) should work, right?


Yes. BTW, does anyone know where to find a complete list of all TLDs used by a service such as YouTube or Google Books?

Sure just reminding people that .com isn’t the only TLD any more… there are zillions of them and I’m not just talking about either!

Hi! I’m using this plugin to embed a go board on my forum, but the iframe size is too small.
Is there any way to change its size?

You can see a test on:

The embed link is:
<iframe id="gokibitz-rkfMsvdbW" src="//" style="width: 100%; min-height: 500px; display: block; border: 10px solid snow;"></iframe> <script src="//"></script>

Yes. You can’t use a style attribute - it gets stripped out by Discourse. Also, the script tag will be stripped out. You don’t need it for displaying the iframe.

The height has to be set to a fixed number. I think the only attributes you can use are width, height, and frameborder. Try something like:

<iframe src="//"  width="100%" height="800"  frameborder="0"></iframe>

To answer my own question, here seems to be a good place to look:

Considering the length of that list, I almost think the simple fuzzy match option might actually be better that including the whole list in your regex. The most pragmatic approach is probably to pick a few TLDs based on where your membership sits and add more based on complaints. It’s really only an issue for highly international communities anyway.


If you’re using a fork of the Iframe Whitelist plugin with Discourse 1.9.0, you’ll need to sync your fork with the latest version, found here:


For anyone using the whitelist-iframe plugin, it is broken on the latest version of Discourse (1.9.0.beta8.) There is now an allowed iframes setting on the Discourse settings page. Remove the whitelist-iframe plugin and add any iframe sources you would like to whitelist to that setting.


anyone know the whitelist address (to put in settings) for any of these sites?

kind of a noob here

Hmm is this countdown scenario a use case for your Chrono plugin @joffreyjaffeux?

1 Like