Trizzaye
Reputation: 87
How does Medium.com allow embeds without being vulnerable to XSS?
Medium.com allows you to paste a link into your post (a gist or YouTube video) and it will then fetch and embed that as an <iframe> with <script> tags.
How they can do that securely without opening themselves up to attackers inserting their own XSS code?
I presume they must do some sort of sanitization on the server side but how do they differentiate between trusted <iframe> and <script> tags that they have retrieved vs. others that may be inserted by an attacker?
I'd like to do something similar with Django and Medium Editor.
Upvotes: 0
Views: 103
Answers (1)
George Bougakov
Reputation: 43
They use embed.ly which
- Does not allow tags
- Allows only moderated resources
Upvotes: 0
Related Questions
- How to prevent XSS attacks when I need to render HTML from a WYSIWYG editor?
- How to embed code to medium blog which doesn't disappear
- How to reproduce medium.com editor's "embed media" button with Mobiledoc-kit?
- How can I disable markdown on a string in a embed?
- How in Django/Python can I ensure safety from WYSIWYG-entered HTML?
- How to embed a Python script into HTML
- What are the ways to allow embedded videos in Django/Python?
- Magento - How to allow certain tags (iframe, embed) in Magento's CMS editor?
- Python on the Web
- Embedding JavaScript? Or maybe some other technology is used?