Skip to content

Iframe's srcDoc allow arbitrary scripts which can result in unsafe packages published #246

New issue
New issue
Open
Open
Iframe's srcDoc allow arbitrary scripts which can result in unsafe packages published#246
#281 (+2)
@joakin

Description

@joakin
joakin
opened on Nov 24, 2022

Using iframes and srcDoc adding a random script tag to your application, from which you can access the parent window and do anything you want.

You could publish a package that looked like a safe Html element and under the hood be doing pretty much anything with JS.

https://ellie-app.com/kfNPH9Y2qvqa1

module Main exposing (main)

import Html
import Html.Attributes


main =
    Html.iframe
        [ Html.Attributes.srcdoc """
        <body><script>
        alert('Hello from the iFrame')
        window.parent.document.body.innerHTML = 'XSS in Elm packages?'
        </script></body>
        """
        ]
        []

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions