How can prevent Stored XSS by iframe?
Question
I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this:
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello</p>
<video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>
I tried to add sandbox to iframe , but it doesn't work, the XSS alert still show.
- Then I tried to change to
<iframe src='#'... sandbox>, but XSS alert still show. - I removed
srcor just set it''in<iframe src=''... sandbox>, it got this error:DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
What should I do to handle my issue?
Thanks a lot for any help.
1 answers
solution1
0 ACCPTED 2021-05-19 09:26:10
The issue is fixed by set "allow-same-origin" for sandbox
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How can I prevent XSS for an keyup() jQuery event?
How to encode value to put in iframe src attribute to prevent XSS in ASP.NET MVC
How to prevent XSS via URL?
What type XSS this is and how to prevent it
How to prevent XSS in the following code?
Can i prevent an XSS attack by using a session?
PHP: How to totally prevent XSS attacks?
What is possible with XSS with Flashvars? How to prevent it?
How to prevent XSS for the form action URL?
How to prevent Client DOM XSS vulnerability in javascript?
Related Tags