1

I have a string containing some HTML and maybe JS code that comes from a third-party site and may contain malicious code trying to steal cookies from my site.

I am using the following code in my site to preview it on my site.

<iframe id='fff' />

var iframe = document.getElementById('fff'),
iframedoc = iframe.contentDocument || iframe.contentWindow.document;
iframedoc.body.innerHTML = third_party_code;

To test it against XSS, I tried the following code

iframedoc.body.innerHTML = '<script>alert(parent.document.cookie);</script> ';

The code doesn't popped any message box. So, Can I assume my site is safe from XSS attack or am I missing something?

  • 1
    no, innerHTML-based script tags never execute but onmouseover events do... furthermore, local iframes are not blocked; use a dataURL, CSP, or an off-site echo to enforce SOP. oh, and don't use cookies anyway, they are not really needed in the 21st century. – dandavis Jan 21 '14 at 18:25
  • @dandavis hmm. I thought may be the alert function is not working due to same domain policy. Is there something I can do to avoid this? –  Jan 21 '14 at 18:27
  • i listed 3 options to sanitize your data. test against iframedoc.body.innerHTML = "xss" – dandavis Jan 21 '14 at 18:29
  • You could try the `sandbox` attribute - see [this answer](http://stackoverflow.com/a/21244925/413180) – SilverlightFox Jan 22 '14 at 21:25

0 Answers0