FIX: Don't put iframes in emails where they are sanitized out. Replace

them with links.

lib/email/styles.rb

@@ -81,6 +81,20 @@ module Email
       @fragment.css('aside, article, header').each do |n|
         n.name = "div"
       end
+
+      # iframes can't go in emails, so replace them with clickable links
+      @fragment.css('iframe').each do |i|
+        begin
+          src_uri = URI(i['src'])
+
+          # If an iframe is protocol relative, use SSL when displaying it
+          display_src = "#{src_uri.scheme || 'https://'}#{src_uri.host}#{src_uri.path}"
+          i.replace "<p><a href='#{src_uri.to_s}'>#{display_src}</a><p>"
+        rescue URI::InvalidURIError
+          # If the URL is weird, remove it
+          i.remove
+        end
+      end
     end
 
     def format_html

spec/components/email/styles_spec.rb

@@ -79,6 +79,21 @@ describe Email::Styles do
       expect(frag.at('ul')['style']).to be_present
       expect(frag.at('li')['style']).to be_present
     end
+
+    it "converts iframes to links" do
+      iframe_url = "http://www.youtube.com/embed/7twifrxOTQY?feature=oembed&wmode=opaque"
+      frag = html_fragment("<iframe src=\"#{iframe_url}\"></iframe>")
+      expect(frag.at('iframe')).to be_blank
+      expect(frag.at('a')).to be_present
+      expect(frag.at('a')['href']).to eq(iframe_url)
+    end
+
+    it "won't allow non URLs in iframe src, strips them with no link" do
+      iframe_url = "alert('xss hole')"
+      frag = html_fragment("<iframe src=\"#{iframe_url}\"></iframe>")
+      expect(frag.at('iframe')).to be_blank
+      expect(frag.at('a')).to be_blank
+    end
   end
 
   context "rewriting protocol relative URLs to the forum" do