堆栈内存溢出
  简体   繁体   English

如何防止 iframe 存储的 XSS?

[英]How can prevent Stored XSS by iframe?

 原文  2021-05-14 02:51:26       javascript/ html/ security/ iframe/ xss

问题描述

I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this:我使用 Extjs 和 JS 构建一个对话框,可以在其中显示来自 DB 的 html 数据,该数据用iframe包装,如下所示:

<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite"> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <p>Hello</p>
    <video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>

I tried to add sandbox to iframe , but it doesn't work, the XSS alert still show.我尝试将sandbox添加到iframe ,但它不起作用,XSS 警报仍然显示。

  • Then I tried to change to <iframe src='#'... sandbox> , but XSS alert still show.然后我尝试更改为<iframe src='#'... sandbox> ,但 XSS 警报仍然显示。
  • I removed src or just set it '' in <iframe src=''... sandbox> , it got this error: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.我删除了src或者只是在 <iframe src= '' <iframe src=''... sandbox>中设置了它,它得到了这个错误: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.

What should I do to handle my issue?我应该怎么做才能处理我的问题?

Thanks a lot for any help.非常感谢您的帮助。

1 个解决方案

解决方案1
 0 已采纳  2021-05-19 09:26:10

The issue is fixed by set "allow-same-origin" for sandbox通过为沙盒设置“允许同源”解决了该问题

<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何防止针对keyup()jQuery事件的XSS? - How can I prevent XSS for an keyup() jQuery event? 如何对要放入iframe src属性的值进行编码以防止ASP.NET MVC中的XSS - How to encode value to put in iframe src attribute to prevent XSS in ASP.NET MVC 如何通过URL防止XSS? - How to prevent XSS via URL? 这是什么类型的 XSS 以及如何防止它 - What type XSS this is and how to prevent it 如何在以下代码中防止XSS? - How to prevent XSS in the following code? 我可以通过使用会话来阻止XSS攻击吗? - Can i prevent an XSS attack by using a session? PHP:如何完全防止 XSS 攻击? - PHP: How to totally prevent XSS attacks? 带有Flashvars的XSS有什么可能? 怎么预防呢? - What is possible with XSS with Flashvars? How to prevent it? 如何防止XSS用于表单操作URL? - How to prevent XSS for the form action URL? 如何防止javascript中的客户端DOM XSS漏洞? - How to prevent Client DOM XSS vulnerability in javascript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM