We Keep Coding

How can prevent Stored XSS by iframe?

I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this:
<iframe name="ext-gen568" frameborder="0" src="javascript:;" style="width: 514px; height: 189px;">
<html>
<head> ... </head>
<body>
<br><br>
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello</p>
<video><source src="x" onerror="alert('xss')"></video>
</blockquote>
</body>
</html>
</iframe>
I tried to add sandbox to iframe, but it doesn't work, the XSS alert still show.
Then I tried to change to <iframe src='#'... sandbox>, but XSS alert still show.
I removed src or just set it '' in <iframe src=''... sandbox>, it got this error: DOMException: Blocked a frame with origin "mytestdomain" from accessing a cross-origin frame.
What should I do to handle my issue?
Thanks a lot for any help.

The issue is fixed by set "allow-same-origin" for sandbox
<iframe sandbox="allow-same-origin" src="javascript:;"...></iframe>

How to redirect page twice while get cookie

Firstly, I know this nearly impossible because someone can steal cookie if this possible. But because I am still doubtful around 1%, so I think I need to ask the community, so I can completely know if this still possible or completely impossible.
Let's say I have mysite.com/promotion which is permalink for shop.org/aff.php?id=123. Id 123 is my affiliate ID. After visitor click that link, the visitor will redirected to shop.com/index.php (homepage). Then shop.com will command the visitor browser to save my affiliate cookie. Note: I have access for mysite.org but I don't have any access for shop.com.
The problem with this behaviour is that I only can promote the overall whole things about shop.org, but I cannot promote his specific product link. Because when I give the visitor a product link, I will not have any commission because the guest never access my affiliate url. But when I give him my affiliate url, he will need to find out where the product link is.
Now I will give some demo code to illustrate this.
shop.org/index.php
<?php session_start()?>
<h1>shop.com HOME PAGE</h1>
<div>cookie affiliate: <span>EMPTY</span></div><br>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.1/js.cookie.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" ></script>
<script type="text/javascript">
$(function(){
<?php if(isset($_SESSION['aff'])):?>
Cookies.set('aff', '<?=$_SESSION['aff']?>');
<?php endif;?>
var aff = Cookies.get('aff');
if(aff!==undefined){
$('span').text(aff);
}
})
</script>
shop.org/aff.php?id=123
<?php session_start();
$_SESSION['aff'] = $_GET['id'];
header('Location:https://shop.org/index.php');
shop.org/product.php
<?php session_start();?>
<p>shop.com PRODUCT PAGE</div>
<div>cookie affiliate: <span>EMPTY</span></div><br>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.1/js.cookie.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" ></script>
<script type="text/javascript">
$(function(){
<?php if(isset($_SESSION['aff'])):?>
Cookies.set('aff', '<?=$_SESSION['aff']?>');
<?php endif;?>
var aff = Cookies.get('aff');
if(aff!==undefined){
$('span').text(aff);
}
})
</script>
Try 1: hidden iframe then redirect with js / html meta
mysite.org/promotion
<!DOCTYPE html>
<html>
<head>
<title>INI REDIRECT</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="5;URL=https://shop.org/product.php" />
</head>
<body>
<iframe src="https://shop.org/aff.php?id=123" width="0" height="0" tabindex="-1" title="empty" style="display:none;"></iframe>
<div>You will be redirect in 5 seconds</div>
</body>
</html>
Visitor will fail to get my affiliate cookie because he get warned : A cookie associated with a cross-site resource at https://shop.org/ was set without the 'SameSite' attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with 'SameSite=None' and 'Secure'.
Try 2: jQuery load
<!DOCTYPE html>
<html>
<head>
<title>INI REDIRECT</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="5;URL=https://shop.org/product.php" />
</head>
<body>
<iframe src="https://shop.org/aff.php?id=123" width="0" height="0" tabindex="-1" title="empty" style="display:none;"></iframe>
<div>You will be redirect in 5 seconds</div>
<div id="msgDiv"></div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" ></script>
<script>
$(function(){
$('#msgDiv').load('https://shop.org/aff.php?id=123');
});
</script>
</body>
</html>
this will fail too, because CORS policy. Remember I don't have any access to shop.org, so I can't enable this.
Try 3: scraping the cookies then give visitor that cookies
I have not given code here, because I know this will fail too. The reason is we cannot give cross domain cookie to the browser.
My question is, is this completely impossible or still possible?
Note: if only 1 site, I just need to email them to fulfill my needs. But, shop.org is only 1 example of the most common affiliate system. So this question is only focusing without any change at server. Yes, impossible, but I just have a little doubt here.

I think it's nearly impossible, because the CORS-Policy is exactly to block this cases.
You can do something like this only if the other site allows this with a specific HTTP-Header.
You can try <img src="https://shop.org/aff.php?id=123" style="height: 0; width: 0;">, but i think the result would be the same to the iframe.
Other method:
Maybe the shop-page offers this method, for example with a GET-Attribute:
shop.com/aff.php?id=123&url=/product/myproduct/
or
shop.com/product/myproduct/?aff=123

Liferay iframe java script document unavaible

I have project based on liferay-portal-6.2-ce-ga5. On my page I want to have iframe with dynamic height.
Right now I do have my iframe like this:
<iframe id="1231-iframe" nam="iframe-name" src="http://localhost:123/ca-clickableDummy/test.html"
page content (on payara41) is:
<!DOCTYPE html>
<html>
<head>
<title>Title</title>
</head>
<body>
<div style="height: 600px;background-color: #3c763d"> sadas</div>
</body>
</html>
but if I want to do anything with iframe content I`m receive bug:
Error: Permission denied to access property "document"
No matter what I`m doing from jquery/js I cannot access this property, what blocks me.
Can someone help me with that ?

Can't access parent elements from iframe

I do not get it. I thought that I didi it, and now I cannot do it.
Simple html with an iframe. Indide the iframe is another html. I want to change an image from the main iframe when you access the iframe.
HTML from the main html:
Main html:
<!DOCTYPE HTML>
<html lang="en">
<head></head>
<body>
<img id="logo" src="../img/fpdfilms-logo-home.png" />
<iframe id="fondo" name="main" src="test.html"></iframe>
</body>
</html>
test.html
<!DOCTYPE HTML>
<html lang="en">
<head></head>
<body>
<a href="#" onclick="change();">Change Picture</p>
<script src="../js/jquery-1.11.2.min.js"></script>
<script type="text/javascript">
function change()
{
var $logo= $('#logo', window.parent.document);
alert("Does it work?");
$logo.attr("src","../img/fpdfilms-logo-director.png");
}
</script>
</body>
</html>
It is supposed to change the picture when you click on the link. But the ALERT is not showing... I've tried different ways and I'm really lost. Is so difficult to achieve this simple change?

Checked your page (chrome 40) and got
SecurityError: Blocked a frame with origin "null" from accessing a frame with origin "null". Protocols, domains, and ports must match.
so I checked in a server (local express) and works fine.

You can refer to this answer as it does what you need with jquery.
how to access iFrame parent page using jquery?
From the above example selecting an element from an iframe in the parent document use
var $parentElement= $('#parentElement', window.parent.document);

Initiating Soundcloud for practice page

I've registered a practice app for soundcloud in order to get a client id. My app doesn't have an official site because I don't want to register a domain. I'm just trying to learn how to use soundcloud using a .html and .js file. I've followed the API tutorials exactly, but nothing happens whenever I try to use soundcloud. I initialized SC using my client ID, and have imported JQuery and everything I need to. Thanks for the help
my html file (practice.html):
<!doctype html>
<html>
<head>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<script src="//connect.soundcloud.com/sdk.js"></script>
<script src= "script.js"></script>
</head>
<body>
<div id="player"></div>
</body>
</html>
my .js file (script.js):
SC.initialize({
client_id: 'the client id they gave me...'
});
$(document).ready(function() {
SC.get('/tracks/293', function(track) {
SC.oEmbed(track.permalink_url, document.getElementById('player'));
});
});
Again, nothing happens when I load the page...

Looks like you're missing the full url for the SoundCloud JavaScript SDK (missing http:):
<html>
<head>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<script src="http://connect.soundcloud.com/sdk.js"></script>
<script src= "script.js"></script>
</head>
<body>
<div id="player"></div>
</body>
</html>
You should be able to run this locally within your browser as SoundCloud supports Cross Origin Resource Sharing headers, removing the restriction on XSS: Of CORS We Do