I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe
like this:
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;"> <html> <head> ... </head> <body> <br><br> <blockquote type="cite"> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <p>Hello</p> <video><source src="x" onerror="alert('xss')"></video> </blockquote> </body> </html> </iframe>
I tried to add sandbox
to iframe
, but it doesn’t work, the XSS alert still show.
- Then I tried to change to
<iframe src='#'... sandbox>
, but XSS alert still show. - I removed
src
or just set it''
in<iframe src=''... sandbox>
, it got this error:DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
What should I do to handle my issue?
Thanks a lot for any help.
Advertisement
Answer
The issue is fixed by set “allow-same-origin” for sandbox
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>