2 files changed, 25 insertions, 1 deletions

diff --git a/lib/pleroma/web/rich_media/parser/card.ex b/lib/pleroma/web/rich_media/parser/card.ex
index fc0e3f6a4..d352eb4c5 100644
--- a/lib/pleroma/web/rich_media/parser/card.ex
+++ b/lib/pleroma/web/rich_media/parser/card.ex
@@ -28,6 +28,12 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
       when type in @types and is_binary(url) do
     uri = URI.parse(url)
 
+    html =
+      case FastSanitize.Sanitizer.scrub(oembed["html"], Pleroma.HTML.Scrubber.OEmbed) do
+        {:ok, html} -> html
+        _ -> ""
+      end
+
     %Card{
       url: url,
       title: title,
@@ -37,7 +43,7 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
       author_url: oembed["author_url"],
       provider_name: oembed["provider_name"] || uri.host,
       provider_url: oembed["provider_url"] || "#{uri.scheme}://#{uri.host}",
-      html: oembed["html"],
+      html: html,
       width: oembed["width"],
       height: oembed["height"],
       image: oembed["thumbnail_url"] |> proxy(),
diff --git a/priv/scrubbers/o_embed.ex b/priv/scrubbers/o_embed.ex
new file mode 100644
index 000000000..ac419f45d
--- /dev/null
+++ b/priv/scrubbers/o_embed.ex
@@ -0,0 +1,18 @@
+defmodule Pleroma.HTML.Scrubber.OEmbed do
+  @moduledoc """
+  Scrubs OEmbed HTML
+  """
+  require FastSanitize.Sanitizer.Meta
+  alias FastSanitize.Sanitizer.Meta
+
+  Meta.strip_comments()
+
+  Meta.allow_tag_with_these_attributes(:iframe, [
+    "width",
+    "height",
+    "src",
+    "allowfullscreen"
+  ])
+
+  Meta.strip_everything_not_covered()
+end