Open codeHusky opened 9 years ago
Pretty self explanatory on this program. https://www.khanacademy.org/computer-programming/finished/5731082677518336
I tried adding a tag directly using markup and it worked fine. Are tags supposed to be not allowed? I tried creating an in markup and it complain so then I modified your example to add an <iframe> programmatically, which it did, but the iframe wouldn't actually load because of the CSP.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/codeHusky"><img src="https://avatars.githubusercontent.com/u/6946558?v=4" />codeHusky</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Well yeah, but you could use this to skip over the injection of KA's infinite loop protection for scripts</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/codeHusky"><img src="https://avatars.githubusercontent.com/u/6946558?v=4" />codeHusky</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>Also allows you to do this kind of thing. <a href="https://www.khanacademy.org/computer-programming/danger-script/6527297851752448">https://www.khanacademy.org/computer-programming/danger-script/6527297851752448</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/kevinbarabash"><img src="https://avatars.githubusercontent.com/u/1044413?v=4" />kevinbarabash</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>@MikaalSky I added an infinite loop to your first example and the infinite loop protection code caught it. Are you suggesting that a user could add a <code><script></code> tag or an <code><iframe></code> that contains a script that has an infinite loop? In that case, I think the CSP would protect against that.</p> <p>I agree that we should probably do something to guard against adding <code><iframes></code> and <code><script></code> tags to the page. This will probably require creating a "safe" version of <code>document</code> that throws exceptions when trying to create certain types of elements via <code>createElement</code>.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>
kevinbarabash
commented
9 years ago kevinbarabash
commented
9 years ago
Pretty self explanatory on this program. https://www.khanacademy.org/computer-programming/finished/5731082677518336