Hi @hanachin, thanks for sending the patch!

It looks good to me to allow embedding CodePen. We are investigating if there is any security concerns.

As I wrote in #56, Qiita uses { strict: true, script: false } context while rendering markdown. This means that all iframe elements are filtered out by UserInputSanitizer. In addition, since FinalSanitizer does not filter iframe with { script: true } context, I think the specs you added in the patch do not fail in master branch.

Thank you for your response!

I didn't know the strict and script context metrics in #54
I want to embed CodePen to both Qiita and Qiita:Team, But as far as I can see #54 , embedding iframe is not permitted for Qiita, Is this correct?

There are two way to embedding CodePen

1. embed by iframe as implemented in this pull request

<iframe height='265' scrolling='no' title='KqayLz' src='//codepen.io/hanachin/embed/KqayLz/?height=265&theme-id=light&default-tab=html,result&embed-version=2' frameborder='no' allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/hanachin/pen/KqayLz/'>KqayLz</a> by Seiei Miyagi (<a href='https://codepen.io/hanachin'>@hanachin</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

2. embed by p tag with codepen's javascript

<p data-height="265" data-theme-id="light" data-slug-hash="KqayLz" data-default-tab="html,result" data-user="hanachin" data-embed-version="2" data-pen-title="KqayLz" class="codepen">See the Pen <a href="https://codepen.io/hanachin/pen/KqayLz/">KqayLz</a> by Seiei Miyagi (<a href="https://codepen.io/hanachin">@hanachin</a>) on <a href="https://codepen.io">CodePen</a>.</p>
<script async src="https://production-assets.codepen.io/assets/embed/ei.js"></script>

The 2nd one doesn't use iframe, it is easy to pass through the UserInputSanitizer like twitter blockquote, but need to put <script async src="https://production-assets.codepen.io/assets/embed/ei.js"></script> somewhere on Qiita/Qiita:Team.

Whould you please consider the 2nd one in the investigating?

I want to embed CodePen to both Qiita and Qiita:Team, But as far as I can see #54 , embedding iframe is not permitted for Qiita, Is this correct?

There is no limit In Qiita:Team. Feel free to embed your pens.
Both iframe and script are not permitted in Qiita.

close in favor of #59