Sanitize iframe before setting to event

lib/unhangout-sockets.js

@@ -412,12 +412,16 @@ _.extend(UnhangoutSocketManager.prototype, events.EventEmitter.prototype, {
             if (!("iframeCode" in args)) {
                 return mgr.writeErr(socket, "insert-iframe", "Missing Iframe Code");
             }
+            var iframeCode = utils.sanitizeIframe(args.iframeCode);
+            if (iframeCode === null) {
+                return mgr.writeErr(socket, "insert-iframe", "Invalid iframe code");
+            }
             var event = this.getEvent(args.roomId);
             if (event && socket.user.isAdminOf(event)) {
-                event.set("iframeEmbedCode", args.iframeCode);
+                event.set("iframeEmbedCode", iframeCode);
                 event.save();
                 mgr.writeAck(socket, "embed-iframe");
-                event.logAnalytics({action: "embed-iframe", user: socket.user, iframeCode: args.iframeCode});
+                event.logAnalytics({action: "embed-iframe", user: socket.user, iframeCode: iframeCode});
             } else {
                 return mgr.writeErr(socket, "embed-iframe", "Missing event or not admin");
             }

lib/utils.js

@@ -3,8 +3,8 @@ var _ = require("underscore"),
     toobusy = require("toobusy"),
     options = require("./options"),
     logger = require("./logging").getLogger(),
-    cheerio = require("cheerio");
-
+    cheerio = require("cheerio"),
+    Promise = require("bluebird");
 // Configure maximum latency in the event loop.  See
 // https://github.com/lloyd/node-toobusy for more.
 toobusy.maxLag(options.MAX_EVENT_LOOP_LAG);
@@ -137,6 +137,18 @@ module.exports = {
               logPolicy
         );
     },
+    /**
+     * Ensure that the given iframeCode consists of a single iframe tag and no
+     * extra junk.
+     */
+    sanitizeIframe: function(iframeCode) {
+        var $ = cheerio.load(iframeCode);
+        var iframe = $("iframe").empty()[0];
+        if (!iframe) {
+          return null;
+        }
+        return cheerio.html(iframe);
+    },
     getEventSanitizationWarnings: function(event) {
         // Run caja-sanitizer on the raw HTML fields, using the `logPolicy`
         // to construct a list of risky issues.  Then, iterate over these to 

package.json

@@ -36,7 +36,7 @@
     "backbone": "1.1.2",
     "bluebird": "1.1.1",
     "caja-sanitizer": "*",
-    "cheerio": "0.13.1",
+    "cheerio": "0.20.0",
     "connect-redis": "1.4.7",
     "connect-slashes": "1.3.0",
     "deep-copy": "^1.0.0",

test/test.sanitize-iframe.js

@@ -0,0 +1,34 @@
+var expect = require("chai").expect;
+var sanitizeIframe = require("../lib/utils").sanitizeIframe;
+
+/*
+ *  Rather than doing a full test of caja-sanitizer, just make sure that the
+ *  basics are wired up right and that our custom policy functions work.
+ */
+describe("SANITIZE IFRAME", function() {
+  it("Passes through clean iframe code", function() {
+    var code = '<iframe width="560" height="315" src="https://www.youtube.com/embed/zol2MJf6XNE" frameborder="0" allowfullscreen></iframe>';
+    expect(sanitizeIframe(code)).to.equal(code);
+  });
+
+  it("Removes trailing tags", function() {
+    var code = "<iframe src='https://asdf.com'></iframe><script src='bad.js'></script><iframe src='https://asdf.com'></iframe>";
+    expect(sanitizeIframe(code)).to.equal('<iframe src="https://asdf.com"></iframe>');
+  });
+  it("Removes leading tags", function() {
+    var code = "<p>This is nonsense</p><iframe src='https://asdf.com'></iframe>";
+    expect(sanitizeIframe(code)).to.equal('<iframe src="https://asdf.com"></iframe>');
+  });
+  it("Removes inner html", function() {
+    var code = "<iframe src='https://asdf.com'><p>WAT?</p></iframe>";
+    expect(sanitizeIframe(code)).to.equal('<iframe src="https://asdf.com"></iframe>');
+  });
+  it("Returns null for no iframes", function() {
+    var code = "<p>wat</p>";
+    expect(sanitizeIframe(code)).to.be.null;
+  });
+  it("Returns null for seriously busted markup", function() {
+    var code = "<iframe src='yeah'";
+    expect(sanitizeIframe(code)).to.be.null;
+  });
+});