only allow iframe https content

CHANGELOG.md

@@ -1,3 +1,6 @@
+owncloud-news (5.2.2)
+* **Security**: Only allow YouTube and Vimeo to embed iframes if they use HTTPS to prevent mixed active content iframe attacks
+
 owncloud-news (5.2.1)
 * **Bugfix**: Fix admin settings by using the correct config path
 

appinfo/application.php

@@ -124,8 +124,8 @@ class Application extends App {
             $config->set('Cache.SerializerPath', $directory);
             $config->set('HTML.SafeIframe', true);
             $config->set('URI.SafeIframeRegexp',
-                '%^(?:https?:)?//(' .
-                'www.youtube(?:-nocookie)?.com/embed/|' .
+                '%^https://(?:www\.)?(' .
+                'youtube(?:-nocookie)?.com/embed/|' .
                 'player.vimeo.com/video/)%'); //allow YouTube and Vimeo
             return new HTMLPurifier($config);
         });