How can prevent Stored XSS by iframe?

I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this:

<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite"> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <p>Hello</p>
    <video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>

JavaScript
​x
 
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite"> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <p>Hello</p>
    <video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>
​

I tried to add sandbox to iframe, but it doesn’t work, the XSS alert still show.

Then I tried to change to <iframe src='#'... sandbox>, but XSS alert still show.
I removed src or just set it '' in <iframe src=''... sandbox>, it got this error: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.

What should I do to handle my issue?

Thanks a lot for any help.

Answer

The issue is fixed by set “allow-same-origin” for sandbox

<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>

JavaScript
 
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>
​

Advertisement

Answer