From b345cebf2f249348ed7bfa8775eb4edaf0da8fae Mon Sep 17 00:00:00 2001
From: Julian Dehm <j.dehm@liqd.net>
Date: Wed, 22 Nov 2023 15:08:42 +0100
Subject: [PATCH] ckeditor: add templatetag which disables iframes if
 javascript is disabled

---
 .../ckeditor/templatetags/ckeditor_tags.py    |  7 +++++
 changelog/_8999.md                            |  4 +++
 tests/ckeditor/test_ckeditor_templatetags.py  | 27 +++++++++++++++++++
 tests/project/settings.py                     | 19 +++++++++++--
 4 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 changelog/_8999.md

diff --git a/adhocracy4/ckeditor/templatetags/ckeditor_tags.py b/adhocracy4/ckeditor/templatetags/ckeditor_tags.py
index f76d4b39e..6548e311a 100644
--- a/adhocracy4/ckeditor/templatetags/ckeditor_tags.py
+++ b/adhocracy4/ckeditor/templatetags/ckeditor_tags.py
@@ -1,3 +1,4 @@
+import re
 import time
 
 from django import template
@@ -45,3 +46,9 @@ def transform_collapsibles(text):
             )
 
     return serialize(tree)
+
+
+@register.filter
+def disable_iframes(text):
+    """Disable all iframes to prevent them from loading if js is disabled"""
+    return re.sub(r"(<iframe .*?)src=(.*?>)", r"\1data-src=\2", text)
diff --git a/changelog/_8999.md b/changelog/_8999.md
new file mode 100644
index 000000000..8d6744021
--- /dev/null
+++ b/changelog/_8999.md
@@ -0,0 +1,4 @@
+### Added
+
+- templatetag which disables iframes to stop them from loading if javascript is
+  disabled
diff --git a/tests/ckeditor/test_ckeditor_templatetags.py b/tests/ckeditor/test_ckeditor_templatetags.py
index 1aaee8222..a6d735817 100644
--- a/tests/ckeditor/test_ckeditor_templatetags.py
+++ b/tests/ckeditor/test_ckeditor_templatetags.py
@@ -19,3 +19,30 @@ def test_transform_collapsibles(project_factory):
     output = render_template(template, {"project": project})
     assert "<span>Title</span>" in output
     assert "<div>Body</div>" in output
+
+
+@pytest.mark.django_db
+def test_disable_iframes(project_factory):
+    evil_iframe = (
+        '<div><figure class="media"><div '
+        'data-oembed-url="https://www.youtube.com/embed/PkhmcJWSNAU'
+        '?controls=0"><div><iframe '
+        'src="https://www.youtube.com/embed/PkhmcJWSNAU?rel=0"></iframe>'
+        "</div></div></figure><p>liqd project info</p></div>"
+    )
+    good_iframe = (
+        '<div><figure class="media"><div '
+        'data-oembed-url="https://www.youtube.com/embed/PkhmcJWSNAU'
+        '?controls=0"><div><iframe '
+        'data-src="https://www.youtube.com/embed/PkhmcJWSNAU?rel=0">'
+        "</iframe></div></div></figure><p>liqd project info</p></div>"
+    )
+
+    project = project_factory(information=evil_iframe)
+
+    template = (
+        "{% load ckeditor_tags %}"
+        + "{{ project.information | disable_iframes | safe }}"
+    )
+    output = render_template(template, {"project": project})
+    assert output == good_iframe
diff --git a/tests/project/settings.py b/tests/project/settings.py
index f55875aea..7a149fb7c 100644
--- a/tests/project/settings.py
+++ b/tests/project/settings.py
@@ -194,11 +194,26 @@
         ],
     },
     "collapsible-image-editor": {
-        "tags": ["p", "strong", "em", "u", "ol", "li", "ul", "a", "img", "div"],
+        "tags": [
+            "p",
+            "strong",
+            "em",
+            "u",
+            "ol",
+            "li",
+            "ul",
+            "a",
+            "img",
+            "div",
+            "iframe",
+            "figure",
+        ],
         "attributes": {
             "a": ["href", "rel"],
             "img": ["src", "alt", "style"],
-            "div": ["class"],
+            "div": ["class", "data-oembed-url"],
+            "iframe": ["src", "alt"],
+            "figure": ["class", "div", "iframe"],
         },
         "styles": [
             "float",