+ ],
+
+ elements: {
+ // Prevent iframe's src attribute with javascript code or data protocol from being evaluated in the editable.
+ iframe: function( element ) {
+ if ( element.attributes && element.attributes.src ) {
+
+ var src = element.attributes.src.toLowerCase().replace( /[^a-z]/gi, '' );
+ if ( src.indexOf( 'javascript' ) === 0 || src.indexOf( 'data' ) === 0 ) {
+ element.attributes[ 'data-cke-pa-src' ] = element.attributes.src;
+ delete element.attributes.src;
+ }
+ }
+ }
+ }