Strip iframes from source

diff --git a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
index 63a367fe1729ab33e90ff330f8897992ccf64b20..2b8fc71d2004f8010ca6c3ce4de5b2d9f160f69e 100644 (file)
--- a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
+++ b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
@@ -19,6 +19,14 @@ $.Redactor.prototype.WoltLabClean = function() {
                                // restore ampersands
                                html = html.replace(/@@@WCF_AMPERSAND@@@/g, '&');
                                
+                               // remove iframes smuggled into the HTML by the user
+                               // they're removed on the server anyway, but keeping
+                               // them in the wysiwyg may lead to false impressions
+                               var div = elCreate('div');
+                               div.innerHTML = html;
+                               elBySelAll('iframe', div, elRemove);
+                               html = div.innerHTML;
+                               
                                return html;
                        }).bind(this);