Add HTML Embedding Whitelist for Enhanced XSS Security

[devleejb]

What would you like to be added:
To improve XSS security, we have introduced rehype-sanitize. However, this implementation has restricted the usage of beneficial HTML embedding features, such as StrawPoll and Google Calendar. It is crucial to explore solutions that would allow us to securely utilize this functionality.

The following adjustments to the sanitization schema have been proposed:

[
  rehypeSanitize,
  {
      ...defaultSchema,
      tagNames: [...(defaultSchema.tagNames ?? []), "iframe", "div"],
      attributes: {
          ...defaultSchema.attributes,
          iframe: [
              "src",
              "width",
              "height",
              "frameborder",
              "allow",
              "allowfullscreen",
              "allowtransparency",
              "style",
          ],
          div: ["style"],
      },
      protocols: {
          ...defaultSchema.protocols,
          src: [
              ...(defaultSchema.protocols?.src || []),
              "https://strawpoll.com",
              "https://cdn.strawpoll.com",
          ],
      },
  },
]

With these changes, StrawPoll functionality works, but it is necessary to verify security implications. Additionally, we should consider a scalable structure that allows for the inclusion of other certified sites.

Why is this needed:

Providing a secure and flexible HTML embedding feature will enhance user experience while maintaining safety against XSS attacks. By integrating trusted sources, we can offer richer functionalities without compromising security.

Additional Information: