diff --git a/app/controllers/oer/mymaterial.php b/app/controllers/oer/mymaterial.php
index fe5f6c005f7b64c8743533b0e993ed1f77b4c0e4..c9063ad6878102b6d80f641d59ab0dc8844750d4 100755
--- a/app/controllers/oer/mymaterial.php
+++ b/app/controllers/oer/mymaterial.php
@@ -38,7 +38,12 @@ class Oer_MymaterialController extends AuthenticatedController
             CSRFProtection::verifyUnsafeRequest();
             $was_new = $material->isNew();
             $was_on_twillo = (bool) $material['published_id_on_twillo'];
-            $material->setData(Request::getArray('data'));
+            $data = Request::getArray('data');
+            $material->setData($data);
+            if ($data['player_url'] && !$material->hasValidPreviewUrl()) {
+                PageLayout::postWarning(_('Die angegebene URL muss mit http(s) beginnen.'));
+                $material->player_url = '';
+            }
             $material['host_id'] = null;
             $material['license_identifier'] = Request::get('license', 'CC-BY-SA-4.0');
             if ($_FILES['file']['tmp_name']) {
diff --git a/app/views/oer/embed/url.php b/app/views/oer/embed/url.php
index 2c9af801c95fa1c4058d06cb9a0ec21866afb883..1b40d2404cd40eb1156465235f9d9162a79cb87f 100644
--- a/app/views/oer/embed/url.php
+++ b/app/views/oer/embed/url.php
@@ -5,7 +5,8 @@ if ($material['player_url']) {
 }
 $htmlid = "oercampus_".$material->id."_".uniqid();
 ?>
-<iframe id='<?= $htmlid ?>'
+<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts"
+        id='<?= $htmlid ?>'
         src="<?= htmlReady($url) ?>"
         style="width: 100%; height: 70vh; border: none;"></iframe>
 <?= $this->render_partial("oer/embed/_link") ?>
diff --git a/app/views/oer/market/details.php b/app/views/oer/market/details.php
index 112c86f81600c60cce708d96435916c424f83bc3..4dd64ee2bbdfb3ff3364f2947503eea7a0c0ffca 100755
--- a/app/views/oer/market/details.php
+++ b/app/views/oer/market/details.php
@@ -2,7 +2,7 @@
 
 <? $url = $material['host_id'] ? $material->host->url."download/".$material['foreign_material_id'] : $controller->link_for("oer/endpoints/download/".$material->getId()) ?>
 
-<? if ($material['player_url']) : ?>
+<? if ($material->hasValidPreviewUrl()) : ?>
     <iframe src="<?= htmlReady($material['player_url']) ?>"
             class="lernmarktplatz_player"></iframe>
     <? OERDownloadcounter::addCounter($material->id) ?>
diff --git a/app/views/oer/mymaterial/edit.php b/app/views/oer/mymaterial/edit.php
index 01d0ec668674dee90f0bebdffc46f2ce7715a30f..69b4cc969974f61e4fb66e501cdfe07690ad1019 100755
--- a/app/views/oer/mymaterial/edit.php
+++ b/app/views/oer/mymaterial/edit.php
@@ -120,8 +120,8 @@
 
             <label>
                 <?= _('Vorschau-URL (optional)') ?>
-                <input type="text" name="data[player_url]"
-                       value="<?= htmlReady($material['player_url'] ?: $template['player_url']) ?>">
+                <input type="url" name="data[player_url]" pattern="^https?://.*"
+                       value="<?= htmlReady($material['player_url'] ?: $template['player_url'] ?? '') ?>">
             </label>
 
             <? if (!$material->isNew()) : ?>
diff --git a/lib/models/OERMaterial.php b/lib/models/OERMaterial.php
index 11fd8c0c89939fba984cdb2b84f505389d8f0504..dd03b22075407460b17fe62a71e5b74349b16918 100755
--- a/lib/models/OERMaterial.php
+++ b/lib/models/OERMaterial.php
@@ -149,19 +149,19 @@ class OERMaterial extends SimpleORMap
             ? $material->host->url."download/".$material['foreign_material_id']
             : URLHelper::getURL("dispatch.php/oer/endpoints/download/".$material->getId());
 
-        if ($material['player_url'] || $material->isPDF()) {
-            if ($material['player_url']) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
+            if ($material->hasValidPreviewUrl()) {
                 OERDownloadcounter::addCounter($material->id);
                 $url = $material['player_url'];
             }
             $htmlid = "oercampus_".$material->id."_".uniqid();
-            $output = "<iframe id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
+            $output = "<iframe sandbox=\"allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts\" id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
 
             return $output;
         }
 
         $tf = new Flexi_TemplateFactory($GLOBALS['STUDIP_BASE_PATH']."/app/views");
-        if ($material['player_url'] || $material->isPDF()) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
             $template = $tf->open("oer/embed/url");
         } elseif ($material->isVideo()) {
             $template = $tf->open("oer/embed/video");
@@ -285,6 +285,24 @@ class OERMaterial extends SimpleORMap
         return (bool) $this['structure'];
     }
 
+    /**
+     * Checks the URL scheme of the preview URL (player_url).
+     * HTTP, HTTPS, Gopher and Gemini are supported schemes.
+     *
+     * @return bool True, if the URL scheme matches the allowced ones,
+     *     false otherwise.
+     */
+    public function hasValidPreviewUrl() : bool
+    {
+        if ($this->player_url) {
+            $scheme = parse_url($this->player_url, PHP_URL_SCHEME);
+            if (in_array($scheme, ['http', 'https'])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     public function isImage()
     {
         return stripos($this['content_type'], "image") === 0;