fix: security html module removes allow attribute from iframes (#2354)

* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes
* Apply suggestions from code review
fix: remove deprecated attributes for iframe in secure html module

Co-authored-by: Nicolas Giard <github@ngpixel.com>

server/modules/rendering/html-security/renderer.js

@@ -29,6 +29,7 @@ module.exports = {
 
       if (config.allowIFrames) {
         allowedTags.push('iframe')
+        allowedAttrs.push('allow')
       }
 
       input = DOMPurify.sanitize(input, {