It's possible to play sounds with the audio tag

[ghost]

Expected Behavior

Iframes that contain user created snippets should be muted. Because of this I am able to play sounds (can be anything, like a screamer) anywhere, where my snippet is previewed (for example in the list of snippets in a challenge).

Current Behavior

Iframes that contain user created snippets are not muted.

Steps to Reproduce

1. Create an autoplaying HTML audio tag in a snippet.
2. Try to find your nasty snippet preview in some sort of list.
3. Audio will play in the background.

<audio controls autoplay style="display: none">
  <source src="http://soundbible.com/grab.php?id=2010&type=mp3" type="audio/mpeg">
</audio>

Environment

Any

[KenanYusuf]

Thanks for submitting this @AriInteractive, we will look into a way of preventing audio leaving the editor and get back to you once we have solved it.

[N-Argyle]

Confirmed. Added youtube iframe with autoplay. The audio plays on the main page as well as the editor.

[KenanYusuf]

Fixed in latest deployment.

[ghost]

It's very easy to disable your script, because all I need to do is to add this to the JS editor:

document.addEventListener = function(){};

Also I can play the audio/iframe/video tags after you deleted/paused them, so that's a bummer.

I suggest: 1) Move the code outside of the iframe. You should be able to do this if the iframe is on the same domain. 2) Instead of onload do it in a quick interval. This will make sure you can't add new tags after some time. 3) If the script successfully pauses/removes illegal in multiple iterations (ex: once at 1s, second time at 2s etc), then you know there's some code that tries to add/unpause those tags in an interval. In this case you could remove the whole iframe, because you know it tries to be malicious.

Cheers!

[KenanYusuf]

@AriInteractive I don't think it is currently possible to move the script outside of the iframe, might require a bigger refactor if we can't prevent it this way.

Mind testing again?

[ghost]

Funny enough - breaking your code has become a challenge 😄

1) Here's code that disables your script

// clear all intervals
for (var i = 0; i < 1000; i++) {
  window.clearInterval(i);
}
// add video :)
document.body.innerHTML = '<iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>';

2) I actually wasn't aware, that you can also play sounds this way.

new Audio('http://soundbible.com/grab.php?id=2010&type=mp3').play();