fix: preserve allowed iframe query parameters (#5295)

DAQEM · Prospector · web-flow · commit e80d7730cab3 · 2026-02-09T15:17:37.000Z
Co-authored-by: Prospector &lt;6166773+Prospector@users.noreply.github.com&gt;
diff --git a/packages/utils/parse.ts b/packages/utils/parse.ts
@@ -53,7 +53,7 @@ export const configuredXss = new FilterXSS({
 					continue
 				}
 
-				const newSearchParams = new URLSearchParams()
+				const newSearchParams = new URLSearchParams(url.searchParams)
 				url.searchParams.forEach((value, key) => {
 					if (!source.allowedParameters.some((param) => param.test(`${key}=${value}`))) {
 						newSearchParams.delete(key)

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ export const configuredXss = new FilterXSS({`
`53`	`53`	`continue`
`54`	`54`	`}`
`55`	`55`
`56`		`- const newSearchParams = new URLSearchParams()`
	`56`	`+ const newSearchParams = new URLSearchParams(url.searchParams)`
`57`	`57`	`url.searchParams.forEach((value, key) => {`
`58`	`58`	if (!source.allowedParameters.some((param) => param.test(`${key}=${value}`))) {
`59`	`59`	`newSearchParams.delete(key)`