this is a mess and makes a complicated security model that one can probably drive a truck through. It will have to be fixed. It does make youtubes work again.

2 files changed, 7 insertions, 5 deletions

diff --git a/include/bbcode.php b/include/bbcode.php
index 6f6e43568..96242fdac 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -230,11 +230,10 @@ function bb_location($match) {
 function bbiframe($match) {
 	$a = get_app();
 
-	// use sandbox mode to prevent malicious goings on rather than host restriction
-	//	if(strpos($match[1],get_app()->get_hostname()))
-	//		return '<a href="' . $match[1] . '">' . $match[1] . '</a>';
 
-	return '<iframe sandbox="allow-scripts" src="' . $match[1] . '" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="' . $match[1] . '">' . $match[1] . '</a></iframe>';
+	$sandbox = ((strpos($match[1],get_app()->get_hostname())) ? ' sandbox="allow-scripts" ' : '');
+
+	return '<iframe ' . $sandbox . ' src="' . $match[1] . '" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="' . $match[1] . '">' . $match[1] . '</a></iframe>';
 }
 
 function bb_ShareAttributesSimple($match) {
diff --git a/include/oembed.php b/include/oembed.php
index 691ef48fd..42a9881ed 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -164,8 +164,11 @@ function oembed_iframe($src,$width,$height) {
 
 	$a = get_app();
 
+	$sandbox = ((strpos($src,get_app()->get_hostname())) ? ' sandbox="allow-scripts" ' : '');
+
 	$s = $a->get_baseurl()."/oembed/".base64url_encode($src);
-	return '<iframe sandbox="allow-scripts" height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>'; 
+
+	return '<iframe ' . $sandbox . ' height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>'; 
 
 }