From c719cf7df0ca8dd8d2034ed1c2cb75e9b59bc086 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@miniflux.net>
Date: Tue, 12 Jun 2018 18:45:09 -0700
Subject: Rewrite iframe Youtube URLs to https://www.youtube-nocookie.com

---
 reader/sanitizer/sanitizer.go      | 23 ++++++++++++++++--
 reader/sanitizer/sanitizer_test.go | 50 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 2 deletions(-)

(limited to 'reader/sanitizer')

diff --git a/reader/sanitizer/sanitizer.go b/reader/sanitizer/sanitizer.go
index d1ad13e..2853911 100644
--- a/reader/sanitizer/sanitizer.go
+++ b/reader/sanitizer/sanitizer.go
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"regexp"
 	"strings"
 
 	"github.com/miniflux/miniflux/url"
@@ -15,6 +16,10 @@ import (
 	"golang.org/x/net/html"
 )
 
+var (
+	youtubeEmbedRegex = regexp.MustCompile(`http[s]?://www\.youtube\.com/embed/(.*)`)
+)
+
 // Sanitize returns safe HTML.
 func Sanitize(baseURL, input string) string {
 	tokenizer := html.NewTokenizer(bytes.NewBufferString(input))
@@ -85,8 +90,12 @@ func sanitizeAttributes(baseURL, tagName string, attributes []html.Attribute) ([
 		}
 
 		if isExternalResourceAttribute(attribute.Key) {
-			if tagName == "iframe" && !isValidIframeSource(attribute.Val) {
-				continue
+			if tagName == "iframe" {
+				if isValidIframeSource(attribute.Val) {
+					value = rewriteIframeURL(attribute.Val)
+				} else {
+					continue
+				}
 			} else {
 				value, err = url.AbsoluteURL(baseURL, value)
 				if err != nil {
@@ -274,6 +283,7 @@ func isValidIframeSource(src string) bool {
 	whitelist := []string{
 		"http://www.youtube.com",
 		"https://www.youtube.com",
+		"https://www.youtube-nocookie.com",
 		"http://player.vimeo.com",
 		"https://player.vimeo.com",
 		"http://www.dailymotion.com",
@@ -365,3 +375,12 @@ func inList(needle string, haystack []string) bool {
 
 	return false
 }
+
+func rewriteIframeURL(link string) string {
+	matches := youtubeEmbedRegex.FindStringSubmatch(link)
+	if len(matches) == 2 {
+		return `https://www.youtube-nocookie.com/embed/` + matches[1]
+	}
+
+	return link
+}
diff --git a/reader/sanitizer/sanitizer_test.go b/reader/sanitizer/sanitizer_test.go
index 6456378..6eb9b0d 100644
--- a/reader/sanitizer/sanitizer_test.go
+++ b/reader/sanitizer/sanitizer_test.go
@@ -162,3 +162,53 @@ func TestEspaceAttributes(t *testing.T) {
 		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
 	}
 }
+
+func TestReplaceYoutubeURL(t *testing.T) {
+	input := `<iframe src="http://www.youtube.com/embed/test123?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent"></iframe>`
+	expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?version=3&amp;rel=1&amp;fs=1&amp;autohide=2&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent"></iframe>`
+	output := Sanitize("http://example.org/", input)
+
+	if expected != output {
+		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
+	}
+}
+
+func TestReplaceSecureYoutubeURL(t *testing.T) {
+	input := `<iframe src="https://www.youtube.com/embed/test123"></iframe>`
+	expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123"></iframe>`
+	output := Sanitize("http://example.org/", input)
+
+	if expected != output {
+		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
+	}
+}
+
+func TestReplaceSecureYoutubeURLWithParameters(t *testing.T) {
+	input := `<iframe src="https://www.youtube.com/embed/test123?rel=0&amp;controls=0"></iframe>`
+	expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&amp;controls=0"></iframe>`
+	output := Sanitize("http://example.org/", input)
+
+	if expected != output {
+		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
+	}
+}
+
+func TestReplaceYoutubeURLAlreadyReplaced(t *testing.T) {
+	input := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&amp;controls=0"></iframe>`
+	expected := `<iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&amp;controls=0"></iframe>`
+	output := Sanitize("http://example.org/", input)
+
+	if expected != output {
+		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
+	}
+}
+
+func TestReplaceIframeURL(t *testing.T) {
+	input := `<iframe src="https://player.vimeo.com/video/123456?title=0&amp;byline=0"></iframe>`
+	expected := `<iframe src="https://player.vimeo.com/video/123456?title=0&amp;byline=0"></iframe>`
+	output := Sanitize("http://example.org/", input)
+
+	if expected != output {
+		t.Errorf(`Wrong output: "%s" != "%s"`, expected, output)
+	}
+}
-- 
cgit v1.2.3