Hello,
I have made XSS attempts on the beta version:
I tried both
It's easy enough to do but what's the concern about iframes? Iframes are sandboxed so it's not really a security issue is it?
Hello @anoek,
When I look at the source, the iframe tag I inserted appears without any sandbox attribute:
<iframe src="https://online-go.com" height="315" width="560"></iframe>
And as far as I know, sandbox is an HTML5 attribute.
Arnaud
Hi again,
Oh and actually, I have no idea if there's still a security concern with sandboxed iframe.
So, maybe it's enough to ensure they are in a sandbox. So far, I don't really know.
Arnaud
@anoek This is legit. The iframes aren't sandboxed. Fuseques made a (very annoying) demo in his profile.I won't put the details here, but get a hold of me and I can relay them.
I agree on the adjective. The moderators should do something now.
Sorry @arnaudgo i wasn't ignoring the issue, it's just been a rather busy few weeks (months). I'll be pushing out the fix later today