TYPO3 override DefaultSanitizerBuilder via custom site-extension - origin https://forge.typo3.org/issues/94917

ext_localconf.php

<?php
// in my_extension/ext_localconf.php
defined('TYPO3') or die();

// overrides `default` builder globally
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['default'] = \OliverHader\MyExtension\MyDefaultBuilder::class;
// actually it would be better, to declare a new `my` builder
// to be used individually via TypoScript `stdWrap.parseFunc.htmlSanitize.build = my`
$GLOBALS['TYPO3_CONF_VARS']['SYS']['htmlSanitizer']['my'] = \OliverHader\MyExtension\MyDefaultBuilder::class;

MyDefaultBuilder.php

<?php
// in my_extension/Classes/MyDefaultBuilder.php
namespace OliverHader\MyExtension;

class MyDefaultBuilder extends \TYPO3\CMS\Core\Html\DefaultSanitizerBuilder
{
    protected function createBehavior(): \TYPO3\HtmlSanitizer\Behavior
    {
        // overrides TYPO3's default builder
        // allows `iframe` tag with attrs `src` and `sandbox`
        // the `src` attr is limited further to
        // + regexp ^(https?://|/(?!/)|[^/:][^:]*$)
        // + or being an URI on the current TYPO3 host
        $behavior = parent::createBehavior();
        $iframeTag = (new \TYPO3\HtmlSanitizer\Behavior\Tag('iframe'))
            ->addAttrs($this->srcAttr, ...$this->createAttrs('sandbox'));
        $behavior = $behavior->withTags($iframeTag);
        return $behavior;
    }
}

You should return $behavior->withTags($iframeTag); and not return $behavior;

And if someone else arrives there, here is a common definition for iframe:

        $iframeTag = (new Tag('iframe'))
            ->addAttrs(
                array_merge(
                    $this->globalAttrs,
                    [$this->srcAttr],
                    $this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
                )
            );

You should return $behavior->withTags($iframeTag); and not return $behavior;

Thx for the remark, fixed it.

And if someone else arrives there, here is a common definition for iframe:

$this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')

Side-note: Omitting to declare the sandbox attribute, might (I did not test it in detail, therefore "might") introduce new security risks.

My tests so far included the following:

<iframe src="iframe.html"
        sandbox="allow-downloads allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-scripts"></iframe>

Again: Not completely tested!

---

Another nice tweak is using tel: in iframe - in the past, some mobile clients directly called the given number.

<iframe src="tel:+1-234-56789"></iframe>

And if someone else arrives there, here is a common definition for iframe:

        $iframeTag = (new Tag('iframe'))
            ->addAttrs(
                array_merge(
                    $this->globalAttrs,
                    [$this->srcAttr],
                    $this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
                )
            );

This throw an error on my setup.
Argument 1 passed to TYPO3\HtmlSanitizer\Behavior\Tag::addAttrs() must be an instance of TYPO3\HtmlSanitizer\Behavior\Attr, array given
I changed it to:

            ->addAttrs(
                ...array_merge(
                    $this->globalAttrs,
                    [$this->srcAttr],
                    $this->createAttrs('allow', 'sandbox', 'frameborder', 'height', 'width')
                )
            );