Renderer for [[embed]]...[[/embed]] block-level embeds.
Unlike inline embeds (which target specific providers like YouTube),
embed blocks contain raw HTML that the user provides. This module
validates and sanitizes that HTML through a multi-layer pipeline:
sanitize-html strips everything except a single <iframe> with
a limited set of safe attributes.
The iframe's src URL must use HTTP or HTTPS.
The hostname and path must match the configured allowlist (or the
allowlist can be set to null for Wikidot's "anyiframe" mode).
If any validation step fails, a Wikidot-compatible error block is
rendered instead.
Renderer for
[[embed]]...[[/embed]]block-level embeds.Unlike inline embeds (which target specific providers like YouTube), embed blocks contain raw HTML that the user provides. This module validates and sanitizes that HTML through a multi-layer pipeline:
sanitize-htmlstrips everything except a single<iframe>with a limited set of safe attributes.srcURL must use HTTP or HTTPS.nullfor Wikidot's "anyiframe" mode).If any validation step fails, a Wikidot-compatible error block is rendered instead.