feat: Add option for safe iframe hosts using array lookup (#423)

Co-authored-by: Edward Z. Yang <ezyang@meta.com>

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt

@@ -6,7 +6,7 @@ DEFAULT: false
 <p>
     Whether or not to permit iframe tags in untrusted documents.  This
     directive must be accompanied by a whitelist of permitted iframes,
-    such as %URI.SafeIframeRegexp, otherwise it will fatally error.
+    such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
     This directive has no effect on strict doctypes, as iframes are not
     valid.
 </p>

library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt

@@ -0,0 +1,14 @@
+URI.SafeIframeHosts
+TYPE: lookup/null
+DEFAULT: null
+--DESCRIPTION--
+<p>
+    A whitelist which indicates what explicit hosts should be
+    allowed to embed iframe.  See also %HTML.SafeIframeRegexp,
+    it has precedence over this config. Here are some example values:
+</p>
+<ul>
+    <li><code>www.youtube.com</code> - Allow YouTube videos</li>
+    <li><code>maps.google.com</code> - Allow Embedding a Google map</li>
+</ul>
+--# vim: et sw=4 sts=4