Reputation: 571
How risky is this xss exposure and how to make it safer
Before describing the problem, I will give you the context why I am allowing this xss exposure.
Context
I rely on an external API. One of the fields returned by the API is html (already encoded). I can decode it and show it in the page without worrying because they have no interest in introducing malicious code. The problem that I found is that their html is not always valid and it breaks the page if shown as it is. So now I am showing it on an iframe so that it does not break anything.
Code
I have the html encoded string in a hidden textarea in the main page that embeds an iframe like this:
<textarea id="my-data" class="hidden">
<?php echo $mydata;?>
</textarea>
<div>
<iframe src="/iframepage" frameborder="0" style="padding:0;width:100%;height:400px;">
</iframe>
And in my iframe page I have this html:
<div id="my-data">
</div>
And this jquery code:
$(document).ready(function() {
if ($('#my-data', window.parent.document).length){
$parentJobDescription = $('#my-data', window.parent.document);
$('#my-data').html($parentJobDescription.val());
}
});
Problem Description & Questions
- What kind of risk I am incurring if somebody embeds the iframe page in an page that contains malicious code in a field with id "my-data"?
- I checked for the existing ways of preventing that page from being embedded in a page other than my own website. I found that there are some tags that you can use to tell the browser not to do so, and also some js code that you can use to prevent that. Both methods are not very reliable. In the back-end you can configure a .htaccess to prevent pages from being embedded in external pages. But it seems that it does that for all pages not a specific page. Is there still any possibility to make this secure?
Upvotes: 2
Views: 106
Answers (2)
Reputation: 33588
What kind of risk I am incurring if somebody embeds the iframe page in an page that contains malicious code in a field with id "my-data"?
Outputting the
X-Frame-Options: SAMEORIGIN
response header will prevent your framed page from being framed by anyone else (source).
Even if they did frame your response, a malicious site would not be able to read the content due to the Same Origin Policy.
However, due to attacks like Clickjacking, it is best practice to output this header anyway.
Also note that X-Frame-Options is currently being phased out in favour of CSP's frame-ancestors, so for the time being it would be useful to output both headers for old and new browser support.
Upvotes: 1
Reputation: 11106
In order to make it secure, don't do anything in the parent, delete the textbox and move everything to the iframe page:
<div id="my-data">
<?php echo $myData; ?>
</div>
... wherever you get $myData from, needs to be put here as well.
Upvotes: 0
Related Questions
- This can enable a Reflected Cross-Site Scripting (XSS) attack
- How do I get the current date and time in PHP?
- How do you parse and process HTML/XML in PHP?
- How do I make a redirect in PHP?
- How do you use window.postMessage across domains?
- How can I prevent XSS with HTML/PHP?
- ModSecurity Protection against XSS Type 0 Attacks and Impact
- How to sanitize HTML code in Java to prevent XSS attacks?
- Saving Html from Webpage and Prevent XSS