Information Security Asked on November 21, 2021
In my web app I’m using a good sanitizer which let’s me to whitelist some specific html tags.
I’d like to allow <iframe>
so that users can insert youtube videos and so on.
However I’m worried about vulnerabilities that this approach would introduce.
So not sure this is a safe idea.
Appreciate your hints about this.
"As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware. There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe." - Shamelessly stolen from this thread.
However your web app could be vulnerable if there is XSS vulnerability inside the iframe content. You can mitigating this by setting the sandbox
attribute.
Answered by maximillian1 on November 21, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP