In my web app I'm using a good sanitizer which let's me to whitelist some specific html tags.
I'd like to allow <iframe> so that users can insert youtube videos and so on.
However I'm worried about vulnerabilities that this approach would introduce.
So not sure this is a safe idea.
Appreciate your hints about this.
Asked
Active
Viewed 543 times
0
Karlom
- 135
- 1
- 6
-
Please refer to this answer: https://security.stackexchange.com/a/197068 – Artem S. Tashkinov Jul 22 '20 at 09:11
1 Answers
1
"As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware. There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe." - Shamelessly stolen from this thread.
However your web app could be vulnerable if there is XSS vulnerability inside the iframe content. You can mitigating this by setting the sandbox attribute.
maximillian1
- 48
- 4