From 3a13509ff8fca3d8df2c020f2e71c0e9f736d835 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Wed, 5 Oct 2016 12:56:32 +0200
Subject: [PATCH] Strip iframes from source

---
 .../files/js/3rdParty/redactor2/plugins/WoltLabClean.js   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
index 63a367fe17..2b8fc71d20 100644
--- a/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
+++ b/wcfsetup/install/files/js/3rdParty/redactor2/plugins/WoltLabClean.js
@@ -19,6 +19,14 @@ $.Redactor.prototype.WoltLabClean = function() {
 				// restore ampersands
 				html = html.replace(/@@@WCF_AMPERSAND@@@/g, '&amp;');
 				
+				// remove iframes smuggled into the HTML by the user
+				// they're removed on the server anyway, but keeping
+				// them in the wysiwyg may lead to false impressions
+				var div = elCreate('div');
+				div.innerHTML = html;
+				elBySelAll('iframe', div, elRemove);
+				html = div.innerHTML;
+				
 				return html;
 			}).bind(this);
 			
-- 
2.20.1