Conversation
There was a problem hiding this comment.
the resulting embed values are not correctly sanitized, and could pose a XSS risk.
potential vector:
- evil twiddler sends some cleverly crafted href, able to sanitize the src + frame tag in the interpolated string.
I believe this can be safely escaped, or direct DOM api's could be used (which make some issues just impossible):
var iframe = document.createElement("iframe")
iframe.src = src;
iframe.width = 800;
iframe.height = 600;
let embedCode = iframe.outerHTML;The src still needs to be sanitized, but in the later case the vector is only stuff like javascript: Which is likely tricky to get to via this approach, but we should likely be sure due diligence was done here.
There was a problem hiding this comment.
That's really cool. But we are already using href in Share Twiddle. I'm going to open a PR ASAP and update Ember Twiddle for security reasons.
There was a problem hiding this comment.
Actually maybe I'm misunderstanding. According to this, using window.location.href is relatively safe, and generally more safe than alternatives: http://stackoverflow.com/questions/24078332/is-it-secure-to-use-window-location-href-directly-without-validation
|
i left comments re: the approach taking by columns here |
|
@stefanpenner @rwjblue @joostdevries Please review. |
|
sgtm |
3 participants
Fixes issue #13
Note: This builds on pull request #141, please review that first.