Online-go.com: HTML iframe tag is interpreted in profile page

Created on 7 Jan 2018  路  6Comments  路  Source: online-go/online-go.com

Summary

Hello,

I have made XSS attempts on the beta version:

I tried both

All 6 comments

It's easy enough to do but what's the concern about iframes? Iframes are sandboxed so it's not really a security issue is it?

Hello @anoek,

When I look at the source, the iframe tag I inserted appears without any sandbox attribute:

<iframe src="https://online-go.com" height="315" width="560"></iframe>

And as far as I know, sandbox is an HTML5 attribute.

Arnaud

Hi again,

Oh and actually, I have no idea if there's still a security concern with sandboxed iframe.

So, maybe it's enough to ensure they are in a sandbox. So far, I don't really know.

Arnaud

@anoek This is legit. The iframes aren't sandboxed. Fuseques made a (very annoying) demo in his profile.I won't put the details here, but get a hold of me and I can relay them.

I agree on the adjective. The moderators should do something now.

Sorry @arnaudgo i wasn't ignoring the issue, it's just been a rather busy few weeks (months). I'll be pushing out the fix later today

Was this page helpful?
0 / 5 - 0 ratings

Related issues

JDNdeveloper picture JDNdeveloper  路  4Comments

chaverly1 picture chaverly1  路  3Comments

flovo picture flovo  路  5Comments

Wizek picture Wizek  路  3Comments

jmdingess picture jmdingess  路  5Comments