sanitize iframe, srcdoc, add test

app/controllers/decidim/decidim_awesome/iframe_component/iframe_controller.rb

@@ -17,7 +17,14 @@ def iframe
 
         def sanitize(html)
           sanitizer = Rails::Html::SafeListSanitizer.new
-          sanitizer.sanitize(html, tags: %w(iframe), attributes: ALLOWED_ATTRIBUTES)
+          partially_sanitized_html = sanitizer.sanitize(html, tags: %w(iframe), attributes: ALLOWED_ATTRIBUTES)
+
+          document = Nokogiri::HTML::DocumentFragment.parse(partially_sanitized_html)
+          document.css("iframe").each do |iframe|
+            iframe["srcdoc"] = Loofah.fragment(iframe["srcdoc"]).scrub!(:prune).to_s if iframe["srcdoc"]
+          end
+
+          document.to_s
         end
 
         def remove_margins?

spec/system/awesome_iframe_spec.rb

@@ -92,4 +92,17 @@
       end
     end
   end
+
+  context "when iframe code contains a script in srcdoc" do
+    let(:iframe) { '<iframe srcdoc="<script>alert(\'XSS\');</script>"></iframe>' }
+
+    it "removes the script" do
+      within ".awesome-iframe" do
+        expect(page).not_to have_selector("script")
+        expect(page).to have_selector("iframe")
+        expect(page).not_to have_text("XSS")
+        expect { page.driver.browser.switch_to.alert }.to raise_error(Selenium::WebDriver::Error::NoSuchAlertError)
+      end
+    end
+  end
 end