4

I'm using Google Docs Viewer (https://docs.google.com/viewer) to display the contents of documents in my app. I support many different types of document (e.g. PDF, Microsoft Word, Plain Text, HTML, etc.). Everything works well except for HTML. Google Docs Viewer treats HTML as text and displays the source.

Is there any way to get Google Docs Viewer to render the HTML?

Here's an example: https://docs.google.com/viewer?url=http%3A%2F%2Fwww.google.com&embedded=true

Instead of rendering the Google home page, it shows the HTML mark-up.

I'm hoping I can use the Google Docs Viewer for all types of documents and not have to treat HTML differently.

Johnny Oshika
  • 54,741
  • 40
  • 181
  • 275

1 Answers1

2

Imagine an attacker uploads an HTML file of google's sign page

enter image description here

Makes the html public and sends it over the email to your gf with the subject

Flash Fashion Sale Discount Coupons

Your gf will obvious click the link and won't be surprised to see Fake google sign in page on a docs.google.com domain .

She will convincingly enter her real credentials and will be redirected to attacker's server and then some real google docs page to remove suspicion.

So to prevent users from phishing attacks google stopped rendering HTMLS

source

HimalayanCoder
  • 9,630
  • 6
  • 59
  • 60
  • Couldn't the same be done with an image (that when clicked brings you to another Google-look-alike malicious server) or a pdf? – Pacerier Sep 18 '14 at 08:33
  • but where will she type the username and password ? – HimalayanCoder Sep 19 '14 at 17:13
  • She needs to click on the "input box" (which is the image) before she can type the username/password. So after clicking it, she is redirected to the attacker's phishing website, and wouldn't realize it because everything is looking the same. Then she will be typing her username/password into the phishing form. – Pacerier Sep 20 '14 at 10:51