Reputation: 1658
Execute javascript code inside iframe "src" that already contains text
I've set up an app to test different ways to execute XSS attakcs, it will add anything I write in a textbox as an addition to iframe src value.
But the src already contains a string inside of it. So if i write something like javascript:alert('123'), the final iframe src will look like this
<iframe src="blahblahjavascript:alert('123')>
Is there a way to still execute javascript code inside of that iframe? (escape the src?)
Tried adding \n, closing quotes, adding special utf characters.
Upvotes: 0
Views: 594
Answers (1)
Reputation: 20586
Overall letting users change the iFrame source does not seem like a safe thing to do without escaping the result (at the very least). In terms of XSS attacks, you should assume every user input is dangerous and handle it accordingly. Never trust anything a client sends you. Never trust any user input. Always assume user input and things sent to you are dangerous and handle accordingly.
It doesn't matter if it's an iFrame source or whatever. The point is to escape everything.
What if I were to enter "><h1>XSS</h1><iframe src=" into your text field? Would your input look like <iframe src="blahblah"><h1>XSS</h1><iframe src=""> or something similar?
If so, I could just put a script tag there instead and make it a lot worse.
Upvotes: 1
Related Questions
- Invoking JavaScript code in an iframe from the parent page
- How to write a script tag inside a javascript code?
- Insert JS / JavaScript code into iframe from parent
- Execute Inline JavaScript code within IFrame src attribut
- How to run a javascript code over an iframe?
- JavaScript code in iframe
- How to insert javascript code in iframe tag
- xss attack through iframe src
- Executing Javascript in iFrame from Parent
- Executing javascript from within an iframe