Remove iframe inner HTML contents

An iframe element never has fallback content, as it will always create a nested browsing context, regardless of whether the specified initial contents are successfully used. https://www.w3.org/TR/2010/WD-html5-20101019/the-iframe-element.html#the-iframe-element
2025-07-17 17:08:36 +00:00 · 2021-02-13 13:52:18 -08:00 · 2021-02-13 13:52:18 -08:00 · 0413daf76b
commit 0413daf76b
parent 5043749b9f
2 changed files with 19 additions and 1 deletions
--- a/reader/sanitizer/sanitizer.go
+++ b/reader/sanitizer/sanitizer.go
@ -24,11 +24,12 @@ var (

 // Sanitize returns safe HTML.
 func Sanitize(baseURL, input string) string {
-	tokenizer := html.NewTokenizer(bytes.NewBufferString(input))
 	var buffer bytes.Buffer
 	var tagStack []string
+	var parentTag string
 	blacklistedTagDepth := 0

+	tokenizer := html.NewTokenizer(bytes.NewBufferString(input))
 	for {
 		if tokenizer.Next() == html.ErrorToken {
 			err := tokenizer.Err()
@ -46,9 +47,16 @@ func Sanitize(baseURL, input string) string {
 				continue
 			}

+			// An iframe element never has fallback content.
+			// See https://www.w3.org/TR/2010/WD-html5-20101019/the-iframe-element.html#the-iframe-element
+			if parentTag == "iframe" {
+				continue
+			}
+
 			buffer.WriteString(html.EscapeString(token.Data))
 		case html.StartTagToken:
 			tagName := token.DataAtom.String()
+			parentTag = tagName

 			if !isPixelTracker(tagName, token.Attr) && isValidTag(tagName) {
 				attrNames, htmlAttributes := sanitizeAttributes(baseURL, tagName, token.Attr)