[英]How can prevent Stored XSS by iframe?
I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe
like this:我使用 Extjs 和 JS 构建一个对话框,可以在其中显示来自 DB 的 html 数据,该数据用
iframe
包装,如下所示:
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello</p>
<video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>
I tried to add sandbox
to iframe
, but it doesn't work, the XSS alert still show.我尝试将
sandbox
添加到iframe
,但它不起作用,XSS 警报仍然显示。
<iframe src='#'... sandbox>
, but XSS alert still show.<iframe src='#'... sandbox>
,但 XSS 警报仍然显示。src
or just set it ''
in <iframe src=''... sandbox>
, it got this error: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
src
或者只是在 <iframe src= ''
<iframe src=''... sandbox>
中设置了它,它得到了这个错误: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
What should I do to handle my issue?我应该怎么做才能处理我的问题?
Thanks a lot for any help.非常感谢您的帮助。
The issue is fixed by set "allow-same-origin" for sandbox通过为沙盒设置“允许同源”解决了该问题
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.