From 54e2f9107d03c5b3bb260f38fdb2736bce449fd4 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 6 Apr 2025 00:47:45 +0200
Subject: Disallow iframe srcdoc for now (#7494)

We do not sanitize this attribute well enough, so striped for now.
It is rarely used: I have not seen any use of it in any of my many test feeds.
Can be added back when we can handle its inherent security issues better.
---
 lib/lib_rss.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/lib_rss.php')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index b53838410..7e7dd4790 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -350,7 +350,7 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim
 	$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [
 		'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
 		'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
-		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcset']));
+		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcdoc', 'srcset']));
 	$simplePie->add_attributes([
 		'audio' => ['controls' => 'controls', 'preload' => 'none'],
 		'iframe' => [
-- 
cgit v1.2.3