encodeURIComponent is both not safe enough, and overdone
I have tested with encodeURIComponent, decodeURIComponent and URL constructor, and the results are
Tag: security
Pacharapol Withayasakpunt Tue, July 14, 2020
Pacharapol Withayasakpunt Wed, April 29, 2020
Securely embed YouTube and other iframe elements in Markdown
You can use any markdown implementation, including MarkdownIt, but first you have to make it insecure first, by allowing HTML.
const markdownIt = MarkdownIt({
html: true
})
Then, use DOMPurify, but allow <iframe> tag, including related attributes.
Then, sanitize insecure iframes later.
DOMPurify.addHook('uponSanitizeElement', (node, data) => {
if (data.tagName === 'iframe') {
const src = node.getAttribute('src') || ''
if (!src.startsWith('https://www.youtube.com/embed/')) {
return node.parentNode?.removeChild(node)
}
}
})