From 393de1a283d66e1fb2e6ca71e37b3330abe064c6 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Sun, 14 Mar 2021 13:41:43 -0400
Subject: [PATCH] Use system.allowed_oembed config to allow iframe source

---
 src/Content/Text/BBCode.php | 7 +++++++
 src/Module/Admin/Site.php   | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index c6095cd419..6101f5479c 100644
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1884,6 +1884,13 @@ class BBCode
 			'player.vimeo.com/video/',
 		];
 
+		$allowedIframeDomains = array_merge(
+			$allowedIframeDomains,
+			DI::config()->get('system', 'allowed_oembed') ?
+				explode(',', DI::config()->get('system', 'allowed_oembed'))
+				: []
+		);
+
 		$text = HTML::purify($text, $allowedIframeDomains);
 
 		return $text;
diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php
index 8cd2648cf6..dff2a1076c 100644
--- a/src/Module/Admin/Site.php
+++ b/src/Module/Admin/Site.php
@@ -624,7 +624,7 @@ class Site extends BaseAdmin
 			'$allowed_sites'          => ['allowed_sites', DI::l10n()->t('Allowed friend domains'), DI::config()->get('system', 'allowed_sites'), DI::l10n()->t('Comma separated list of domains which are allowed to establish friendships with this site. Wildcards are accepted. Empty to allow any domains')],
 			'$allowed_email'          => ['allowed_email', DI::l10n()->t('Allowed email domains'), DI::config()->get('system', 'allowed_email'), DI::l10n()->t('Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains')],
 			'$no_oembed_rich_content' => ['no_oembed_rich_content', DI::l10n()->t('No OEmbed rich content'), DI::config()->get('system', 'no_oembed_rich_content'), DI::l10n()->t('Don\'t show the rich content (e.g. embedded PDF), except from the domains listed below.')],
-			'$allowed_oembed'         => ['allowed_oembed', DI::l10n()->t('Allowed OEmbed domains'), DI::config()->get('system', 'allowed_oembed'), DI::l10n()->t('Comma separated list of domains which oembed content is allowed to be displayed. Wildcards are accepted.')],
+			'$allowed_oembed'         => ['allowed_oembed', DI::l10n()->t('Trusted third-party domains'), DI::config()->get('system', 'allowed_oembed'), DI::l10n()->t('Comma separated list of domains from which content is allowed to be embedded in posts like with OEmbed. All sub-domains of the listed domains are allowed as well.')],
 			'$block_public'           => ['block_public', DI::l10n()->t('Block public'), DI::config()->get('system', 'block_public'), DI::l10n()->t('Check to block public access to all otherwise public personal pages on this site unless you are currently logged in.')],
 			'$force_publish'          => ['publish_all', DI::l10n()->t('Force publish'), DI::config()->get('system', 'publish_all'), DI::l10n()->t('Check to force all profiles on this site to be listed in the site directory.') . '<strong>' . DI::l10n()->t('Enabling this may violate privacy laws like the GDPR') . '</strong>'],
 			'$global_directory'       => ['directory', DI::l10n()->t('Global directory URL'), DI::config()->get('system', 'directory'), DI::l10n()->t('URL to the global directory. If this is not set, the global directory is completely unavailable to the application.')],