From 1d1aa608ce7cd35f940949b8dd4884a8a94653fe Mon Sep 17 00:00:00 2001
From: K <z@kwi.li>
Date: Sun, 6 Feb 2022 17:41:36 -0500
Subject: [PATCH] Fix incorrect handling of iframe SandboxValues

---
 policy.go        | 2 +-
 sanitize_test.go | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy.go b/policy.go
index 8a08163..1a5e00c 100644
--- a/policy.go
+++ b/policy.go
@@ -707,7 +707,7 @@ func (p *Policy) AllowURLSchemeWithCustomPolicy(
 func (p *Policy) RequireSandboxOnIFrame(vals ...SandboxValue) {
 	p.requireSandboxOnIFrame = make(map[string]bool)
 
-	for val := range vals {
+	for _, val := range vals {
 		switch SandboxValue(val) {
 		case SandboxAllowDownloads:
 			p.requireSandboxOnIFrame["allow-downloads"] = true
diff --git a/sanitize_test.go b/sanitize_test.go
index fa9e641..a90248e 100644
--- a/sanitize_test.go
+++ b/sanitize_test.go
@@ -1874,10 +1874,10 @@ func TestIssue107(t *testing.T) {
 func TestIFrameSandbox(t *testing.T) {
 	p := NewPolicy()
 	p.AllowAttrs("sandbox").OnElements("iframe")
-	p.RequireSandboxOnIFrame(SandboxAllowDownloads)
+	p.RequireSandboxOnIFrame(SandboxAllowForms, SandboxAllowPopups)
 
-	in := `<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>`
-	expected := `<iframe sandbox="allow-downloads"></iframe>`
+	in := `<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads allow-popups"></iframe>`
+	expected := `<iframe sandbox="allow-forms allow-popups"></iframe>`
 	out := p.Sanitize(in)
 	if out != expected {
 		t.Errorf(