Merge branch 'oembed' into oembed-built

src/general.ts

@@ -71,8 +71,16 @@ async function getOEmbedRich($: cheerio.CheerioAPI, pageUrl: string): Promise<OE
 		return null;
 	}
 
-	const allowedFeatures = (iframe.attr('allow') ?? '').split(/\s+/g);
+	// TODO: This implementation only allows basic syntax of `allow`.
-	const safeList = ['', 'fullscreen', 'encrypted-media', 'picture-in-picture'];
+	// Might need to implement better later.
+	const allowedFeatures = (iframe.attr('allow') ?? '').split(/\s*;\s*/g).filter(s => s);
+	const safeList = [
+		'autoplay',
+		'clipboard-write',
+		'fullscreen',
+		'encrypted-media',
+		'picture-in-picture'
+	];
 	if (allowedFeatures.some(allow => !safeList.includes(allow))) {
 		// This iframe is probably too powerful to be embedded
 		return null;

test/oembed/invalid/oembed-too-powerful2.json

@@ -1,6 +1,6 @@
 {
   "version": "1.0",
   "type": "rich",
-  "html": "<iframe src='https://example.com/' allow='fullscreen camera'></iframe>",
+  "html": "<iframe src='https://example.com/' allow='fullscreen;camera'></iframe>",
   "height": 300
 }

test/oembed/oembed-allow-safelisted-features.json

@@ -1,6 +1,6 @@
 {
   "version": "1.0",
   "type": "rich",
-  "html": "<iframe src='https://example.com/' allow='fullscreen encrypted-media picture-in-picture'></iframe>",
+  "html": "<iframe src='https://example.com/' allow='autoplay;clipboard-write;fullscreen;encrypted-media;picture-in-picture'></iframe>",
   "height": 300
 }