How can prevent Stored XSS by iframe? - javascript

I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this:
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello</p>
<video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>
I tried to add sandbox to iframe, but it doesn't work, the XSS alert still show.
Then I tried to change to <iframe src='#'... sandbox>, but XSS alert still show.
I removed src or just set it '' in <iframe src=''... sandbox>, it got this error: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
What should I do to handle my issue?
Thanks a lot for any help.

The issue is fixed by set "allow-same-origin" for sandbox
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>

Related

Force iframe to have an ID

I have some content on my site that can be embeded by other domains. What happens is that my iframes need to have an ID to run some javascript.
This is the iframe code I provide to my users:
<iframe src="http://www.example.com/embed/2854" id="zframe" width="100%" height="460" scrolling="no" frameborder="0"></iframe>
When the users remove the frame ID, my javascript stops working.
Is there a way wo force the iframe to have an ID via javascript?
Bellow is my implementation to try forcing the ID usage on my iframe when users remove the ID from the iframe code I provide:
<html>
<head>
<title></title>
</head>
<body>
<script>
document.getElementByTagName('iframe')[0].setAttribute("id", "zframe");
</script>
</body>
</html>

Can't access parent elements from iframe

I do not get it. I thought that I didi it, and now I cannot do it.
Simple html with an iframe. Indide the iframe is another html. I want to change an image from the main iframe when you access the iframe.
HTML from the main html:
Main html:
<!DOCTYPE HTML>
<html lang="en">
<head></head>
<body>
<img id="logo" src="../img/fpdfilms-logo-home.png" />
<iframe id="fondo" name="main" src="test.html"></iframe>
</body>
</html>
test.html
<!DOCTYPE HTML>
<html lang="en">
<head></head>
<body>
<a href="#" onclick="change();">Change Picture</p>
<script src="../js/jquery-1.11.2.min.js"></script>
<script type="text/javascript">
function change()
{
var $logo= $('#logo', window.parent.document);
alert("Does it work?");
$logo.attr("src","../img/fpdfilms-logo-director.png");
}
</script>
</body>
</html>
It is supposed to change the picture when you click on the link. But the ALERT is not showing... I've tried different ways and I'm really lost. Is so difficult to achieve this simple change?
Checked your page (chrome 40) and got
SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "null". Protocols, domains, and ports must match.
so I checked in a server (local express) and works fine.
You can refer to this answer as it does what you need with jquery.
how to access iFrame parent page using jquery?
From the above example selecting an element from an iframe in the parent document use
var $parentElement= $('#parentElement', window.parent.document);

Getting parent value in an iframe gives permission denied?

I have below two html files in two different web applications. WebApp1(somedomain.com) has PassValueIFrame.html and WebApp2 has inputForm.html. Here WebApp1 is secured and requires authentication. In PassValueIFrame.html i have an iframe which refers inputForm.html. Also, i have one hidden field in PassValueIFrame.html and am trying to retrieve its value in inputForm.html but am not getting its value it alerts as 'Permission denied to access property 'document''. Am i doing any wrong here? Please help me. As WenbApp1 is secured, cannot we access PassValueIFrame.html ? if we cannot access then is there any way to access secured page contents?
PassValueIFrame.html
<html>
<head>
<title>IFrame Example</title>
</head>
<body>
<input id="myInput" type="hidden" class="Language" value="English">
<iframe name="iframe" id="iframe_id" src="http://somedomain.com/inputForm.html" height="150" >
</iframe>
</body>
</html>
inputForm.html
<html>
<head>
<script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
<script language="javascript">
$(document).ready(function() {
alert($("#myInput", window.parent.document).val());
});
</script>
<title>IFrame Child Example</title>
</head>
<body>
<h1> Iframeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee </h1>
</body>
Thanks!
You seem to be violating the same origin policy restriction. You cannot access the iframe contents if both the parent and the iframe are hosted on the same domain. So basically if you want this to work you will have to host PassValueIFrame.html on http://somedomain.com.

How do I get a paragraph from a website and display it in an iframe?

I am trying to get the first paragraph from the website below and display it in an iframe.
Can you correct my code?
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript">
var iframe = document.getElementById('iframe');
$(iframe).contents().find("<p>").html();
</script>
</head>
<body>
<iframe name="iframe" id="iframe" src="https://www.baronaonlinepoker.com/blog" scrolling="yes" width="180" height="135">
</iframe>
</body>
</html>
You'd be better to use a DIV and use XMLHTTPRequest to set the innerHTML
If the browser loads a page from x.com, that page can have a frame whose source is y.com, but the x.com code will not have access to the y.com DOM. This is a cross-domain issue. You can read more here: http://en.wikipedia.org/wiki/Same-origin_policy
Please see my answer here: https://stackoverflow.com/a/19100553/98706
because I think your going about achieving something the wrong way.

how to protect a flash video from refresh?

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>flash video refresh</title>
</head>
<body>
<div id="PlayerZone"><embed height="496" width="580" flashvars="flvid=19742822&createtime=2012-4-19 13:46:33" wmode="opaque" allowscriptaccess="always" allowfullscreen="true" quality="high" bgcolor="#000000" name="player" id="player" src="swf/mine.swf" type="application/x-shockwave-flash"></div>
<a onclick="return test();" id="test">click me popup a div,and hide the scrollbar</a>
</body>
the code upon:
for example,when I click the a#test button,popup a div,it's no problem,but I want to hide the scrollbar while the div popup.
I used $('html').css('overflow','hidden') in test() function,in most browsers can perform it except FF(I used FF3.6) it will refresh the flash.
https://bugzilla.mozilla.org/show_bug.cgi?id=90268
(overflow/display/position cause this bug)
how to fix it?thank you
Hi thanks for asking these kind of question.
Better you use in a updated firefox version and try. if not
please refer this link this will help u i think. use local shared objects.
http://www.actionscript.org/forums/showthread.php3?t=79009
http://flash.bigresource.com/How-to-protect-Flash-Videos-from-Being-Downloaded-KV9j8rfkn.html
http://whatisgon.wordpress.com/2010/03/17/poking-around-in-the-firefox-cache-and-protecting-your-privacy-from-flash/

Categories