Sanitize rich media HTML

lib/pleroma/web/rich_media/parser/card.ex

@@ -28,6 +28,12 @@ def parse(%Embed{url: url, oembed: %{"type" => type, "title" => title} = oembed}
       when type in @types and is_binary(url) do
     uri = URI.parse(url)
 
+    html =
+      case FastSanitize.Sanitizer.scrub(oembed["html"], Pleroma.HTML.Scrubber.OEmbed) do
+        {:ok, html} -> html
+        _ -> ""
+      end
+
     %Card{
       url: url,
       title: title,
@@ -37,7 +43,7 @@ def parse(%Embed{url: url, oembed: %{"type" => type, "title" => title} = oembed}
       author_url: oembed["author_url"],
       provider_name: oembed["provider_name"] || uri.host,
       provider_url: oembed["provider_url"] || "#{uri.scheme}://#{uri.host}",
-      html: oembed["html"],
+      html: html,
       width: oembed["width"],
       height: oembed["height"],
       image: oembed["thumbnail_url"] |> proxy(),

priv/scrubbers/o_embed.ex

@@ -0,0 +1,18 @@
+defmodule Pleroma.HTML.Scrubber.OEmbed do
+  @moduledoc """
+  Scrubs OEmbed HTML
+  """
+  require FastSanitize.Sanitizer.Meta
+  alias FastSanitize.Sanitizer.Meta
+
+  Meta.strip_comments()
+
+  Meta.allow_tag_with_these_attributes(:iframe, [
+    "width",
+    "height",
+    "src",
+    "allowfullscreen"
+  ])
+
+  Meta.strip_everything_not_covered()
+end