iframeremove
340 sites
Security covered
IFrames are great old way to embed content of another site to yours. This also make it a good way to start a cross-site attack.
It's both good and bad thing to let your site users to add iframe in their contents. On one hand, if a users is doing "Full HTML" in their content, they would certainly want to embed iframe (YouTube, Google Maps). But if one of your users is naughty, or if your site is somehow hacked, they would want to sneak malicious iframe attack in, too.
Can we remove all the iframe(s), except the ones we trust?
That's what this module does.
It provides a filter that you may add to text formats (Full HTML, Filtered HTML). The filter will remove every iframe it found except "src" from the whitelist.
Easy to config. Easy to use.
Usage
- Open your site's admin interface
- Go to "Configruation" > "Text formats"
- Open "configure" of the text format that you want to apply the filter
- Check "iFrame removing filter"
- At "Filter Settings" > "iFrame removing filter", fill-in the whitelist domains. You need to put in 1 domain per line. You may use wildcard character "*" to match multiple characters
- Click "Save Configurations"