search

Crossbell-Box / xLog

🪽 An open-source creative community written on the blockchain.
https://xlog.app
Other
2.35k stars 223 forks source link

Support for custom content iframes #433

Open DIYgod opened 1 year ago

DIYgod commented 1 year ago

From: https://enpitsulin.xlog.app/xlog-content-extend

Example: <iframe src="data:text/html;base64,PGh0bWwgc3R5bGU9IiI+DQo8aGVhZD4NCjxzY3JpcHQgdHlwZT0ibW9kdWxlIiBzcmM9Imh0dHBzOi8vY2RuLmpzZGVsaXZyLm5ldC9ucG0vd2MtZ2l0aHViLWNvcm5lcnNAbGF0ZXN0Ij48L3NjcmlwdD4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOiB0cmFuc3BhcmVudDsiPg0KPGdpdGh1Yi1jb3JuZXJzIGJsYW5rPSJ0cnVlIj48L2dpdGh1Yi1jb3JuZXJzPg0KPC9ib2R5Pg0KPC9odG1sPg==" style="color-scheme: auto;"></iframe>

Uncertain whether it will bring security issues.

daidr commented 1 year ago

感觉允许base64的话,同源容易导致xss

或许检测到dataurl,给iframe设置一个sandbox属性也行?