This can be fixed either by sanitizing input (which you should do anyways) or by adding a sandbox attribute to the iFrame itself.
Sandbox isn't supported everywhere, however, and will prevent all scripts from being executed in the iFrame. It may also not protect against all attacks.
bradfrost
commented
12 years ago
$_GET input was left unsanitized, which can lead to script injection. For example:
http://bradfrostweb.com/demo/ish/?url=javascript:document.write('Hello%20%3Cscript%3Edocument.write(\'Hey%20there\');%3C/script%3E');
This can be fixed either by sanitizing input (which you should do anyways) or by adding a sandbox attribute to the iFrame itself.
Sandbox isn't supported everywhere, however, and will prevent all scripts from being executed in the iFrame. It may also not protect against all attacks.