YouTube iframe in Gollum

This site is built on Gollum. I'd started writing a note to transcribe a bunch of slam-poetry writings that appeared in a series of award-winning ads, hence I needed to embed the YouTube videos.

I pasted the YouTube <iframe /> embed code and could see it work in Gollum's live-preview editor, but it simply wouldn't display in the actual page after saving. It was as though something was stripping out my embed code.

For some reason, I was pretty convinced that it had to do with the markdown renderer that I was using. After spending an entire evening trial-and-erroring over swapping out markdown renderers, it came to light in a byebug session that my <iframe /> tag was being stripped out before it was hitting the renderer.

It wasn't any issue with the markdown renderer.

Turns out, gollum has a tag sanitization feature, and the iframe element isn't included as part of the default whitelist in gollum-lib/lib/gollum-lib/sanitization.rb for security reasons.

Here's how you can tweak the sanitization to support YouTube's iframe embed it in your config.rb file.

sanitizer = Gollum::Sanitization.new
sanitizer.elements.push 'iframe' # Tag
sanitizer.attributes['iframe'] = [
  'width', 'height', 'src', 'frameborder', 'allowfullscreen'
]  # Attributes

Precious::App.set(:wiki_options, { :sanitization => sanitizer })

What's worse, when crawling through my config.rb, I realised I already had code that was tweaking the sanitization list, but had completely forgotten about it.

Hopefully future me, or someone else would find this helpful.

Engineering lesson of the day

Check what's being passed into the markdown renderer before blaming it for stripping out your tags.

21 June 2017