1 files changed, 14 insertions, 6 deletions

diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index 3a4e78d6..811895dc 100755
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -373,9 +373,7 @@ class Poche
                 $body = $content['rss']['channel']['item']['description'];
 
                 // clean content from prevent xss attack
-                $config = HTMLPurifier_Config::createDefault();
-                $config->set('Cache.SerializerPath', CACHE);
-                $purifier = new HTMLPurifier($config);
+                $purifier = $this->getPurifier();
                 $title = $purifier->purify($title);
                 $body = $purifier->purify($body);
 
@@ -920,9 +918,7 @@ class Poche
           Tools::logm('Fetching next batch of articles...');
           $items = $this->store->retrieveUnfetchedEntries($this->user->getId(), IMPORT_LIMIT);
 
-          $config = HTMLPurifier_Config::createDefault();
-          $config->set('Cache.SerializerPath', CACHE);
-          $purifier = new HTMLPurifier($config);
+          $purifier = $this->getPurifier();
 
           foreach ($items as $item) {
             $url = new Url(base64_encode($item['url']));
@@ -1064,4 +1060,16 @@ class Poche
         $this->messages->add('s', _('Cache deleted.'));
         Tools::redirect();
     }
+
+    /**
+     * return new purifier object with actual config
+     */
+    protected function getPurifier() {
+      $config = HTMLPurifier_Config::createDefault();

+      $config->set('Cache.SerializerPath', CACHE);

+      $config->set('HTML.SafeIframe', true);

+      $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo$purifier = new HTMLPurifier($config);
+

+      return new HTMLPurifier($config);
+    }
 }