From 607ba4aca7530b71c8df59398cb2ef5a97aa5e12 Mon Sep 17 00:00:00 2001
From: Felix Scheinost <felix.scheinost@gmail.com>
Date: Mon, 30 Oct 2017 20:07:03 +0100
Subject: [PATCH 1/2] remove youtube iframes by default as well; add option to
 still allow them

---
 index.js         | 3 ++-
 lib/render.js    | 6 +++++-
 lib/sanitize.js  | 4 +++-
 test/sanitize.js | 7 ++++++-
 test/youtube.js  | 2 +-
 5 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/index.js b/index.js
index 19de0f0..984b677 100644
--- a/index.js
+++ b/index.js
@@ -14,7 +14,8 @@ var defaultOptions = {
   debug: false,
   package: null,
   headingAnchorClass: 'anchor',
-  headingSvgClass: ['octicon', 'octicon-link']
+  headingSvgClass: ['octicon', 'octicon-link'],
+  allowDeprecatedYoutubeEmbeds: false
 }
 
 var marky = module.exports = function (markdown, options) {
diff --git a/lib/render.js b/lib/render.js
index 2ff03a3..9daca3c 100644
--- a/lib/render.js
+++ b/lib/render.js
@@ -81,7 +81,6 @@ render.getParser = function (options) {
     .use(relaxedLinkRefs)
     .use(gravatar)
     .use(github, {package: options.package})
-    .use(youtube)
     .use(packagize, {package: options.package})
     .use(htmlHeading)
     .use(overrideLinkDestinationParser)
@@ -92,8 +91,13 @@ render.getParser = function (options) {
     parser.use(codeWrap)
           .use(fenceLanguageAliasing)
   }
+
   if (options.serveImagesWithCDN) parser.use(cdnImages, {package: options.package})
 
+  if (options.allowDeprecatedYoutubeEmbeds) {
+    parser.use(youtube)
+  }
+
   return githubLinkify(parser)
 }
 
diff --git a/lib/sanitize.js b/lib/sanitize.js
index d3587cc..dc7d74c 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -93,7 +93,9 @@ function getSanitizerConfig (options) {
 
       // Allow YouTube iframes
       if (frame.tag !== 'iframe') return false
-      return !String(frame.attribs.src).match(/^(https?:)?\/\/(www\.)?youtube\.com/)
+
+      var isYouTube = String(frame.attribs.src).match(/^(https?:)?\/\/(www\.)?youtube\.com/)
+      return !(isYouTube && options.allowDeprecatedYoutubeEmbeds)
     },
     transformTags: {
       'td': sanitizeCellStyle,
diff --git a/test/sanitize.js b/test/sanitize.js
index 21dc137..56b0007 100644
--- a/test/sanitize.js
+++ b/test/sanitize.js
@@ -58,10 +58,15 @@ describe('sanitize', function () {
     assert.equal($('s').text(), 'orange')
   })
 
-  it('disallows iframes from sources other than youtube', function () {
+  it('disallows all iframes by default', function () {
     var $ = cheerio.load(marky(fixtures.basic))
     assert(~fixtures.basic.indexOf('<iframe src="//www.youtube.com/embed/3I78ELjTzlQ'))
     assert(~fixtures.basic.indexOf('<iframe src="//malware.com'))
+    assert.equal($('iframe').length, 0)
+  })
+
+  it('allows iframes from youtube if `allowDeprecatedYoutubeEmbeds` is set to true', function () {
+    var $ = cheerio.load(marky(fixtures.basic, {allowDeprecatedYoutubeEmbeds: true}))
     assert.equal($('iframe').length, 2)
     assert.equal($('iframe').eq(0).attr('src'), '//www.youtube.com/embed/3I78ELjTzlQ')
     assert.equal($('iframe').eq(1).attr('src'), 'https://www.youtube.com/embed/DN4yLZB1vUQ')
diff --git a/test/youtube.js b/test/youtube.js
index 02c89fa..665a018 100644
--- a/test/youtube.js
+++ b/test/youtube.js
@@ -10,7 +10,7 @@ describe('youtube', function () {
   var iframes
 
   before(function () {
-    $ = cheerio.load(marky(fixtures.basic))
+    $ = cheerio.load(marky(fixtures.basic, {allowDeprecatedYoutubeEmbeds: true}))
     iframes = $('.youtube-video > iframe')
   })
 

From 2dcecdf5efe9aa03d23016c2511c59065b8fd741 Mon Sep 17 00:00:00 2001
From: Felix Scheinost <felix.scheinost@gmail.com>
Date: Mon, 30 Oct 2017 20:12:50 +0100
Subject: [PATCH 2/2] if on one line

---
 lib/render.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/render.js b/lib/render.js
index 9daca3c..07a2f1d 100644
--- a/lib/render.js
+++ b/lib/render.js
@@ -94,9 +94,7 @@ render.getParser = function (options) {
 
   if (options.serveImagesWithCDN) parser.use(cdnImages, {package: options.package})
 
-  if (options.allowDeprecatedYoutubeEmbeds) {
-    parser.use(youtube)
-  }
+  if (options.allowDeprecatedYoutubeEmbeds) parser.use(youtube)
 
   return githubLinkify(parser)
 }