Merge pull request #138 from kiwiz/main

Fix incorrect handling of iframe SandboxValues
microcosm-cc · Feb 7, 2022 · 078c4be · 078c4be
2 parents ce0adc5 + 1d1aa60
commit 078c4be
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/policy.go b/policy.go
@@ -707,7 +707,7 @@ func (p *Policy) AllowURLSchemeWithCustomPolicy(
 func (p *Policy) RequireSandboxOnIFrame(vals ...SandboxValue) {
 	p.requireSandboxOnIFrame = make(map[string]bool)
 
-	for val := range vals {
+	for _, val := range vals {
 		switch SandboxValue(val) {
 		case SandboxAllowDownloads:
 			p.requireSandboxOnIFrame["allow-downloads"] = true

diff --git a/sanitize_test.go b/sanitize_test.go
@@ -1874,10 +1874,10 @@ func TestIssue107(t *testing.T) {
 func TestIFrameSandbox(t *testing.T) {
 	p := NewPolicy()
 	p.AllowAttrs("sandbox").OnElements("iframe")
-	p.RequireSandboxOnIFrame(SandboxAllowDownloads)
+	p.RequireSandboxOnIFrame(SandboxAllowForms, SandboxAllowPopups)
 
-	in := `<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>`
-	expected := `<iframe sandbox="allow-downloads"></iframe>`
+	in := `<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads allow-popups"></iframe>`
+	expected := `<iframe sandbox="allow-forms allow-popups"></iframe>`
 	out := p.Sanitize(in)
 	if out != expected {
 		t.Errorf(