Skip to content

Iframe's srcDoc allow arbitrary scripts which can result in unsafe packages published #246

Description

@joakin

Using iframes and srcDoc adding a random script tag to your application, from which you can access the parent window and do anything you want.

You could publish a package that looked like a safe Html element and under the hood be doing pretty much anything with JS.

https://ellie-app.com/kfNPH9Y2qvqa1

module Main exposing (main)

import Html
import Html.Attributes


main =
    Html.iframe
        [ Html.Attributes.srcdoc """
        <body><script>
        alert('Hello from the iFrame')
        window.parent.document.body.innerHTML = 'XSS in Elm packages?'
        </script></body>
        """
        ]
        []

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions