Option to see html files as page, not html source ?

google / gitiles

A simple browser for Git repositories.

https://gerrit.googlesource.com/gitiles/

Other

585 stars 173 forks source link

Option to see html files as page, not html source ? #109

Open fabiensanglard opened 7 years ago

fabiensanglard commented 7 years ago

If I link to a sample html report from the source code, gitiles show the source of the HTML. Is there any way I can link to something that will render the HTML into the browser ?

https://android.googlesource.com/platform/system/extras/+/43d72ea0509ab5aba1c90248f9aca12c73e03c44

craigfrancis commented 7 years ago

Probably not a good idea, just for security reasons.

In your case, the HTML will probably be fine; but any project that takes HTML from an unknown/unsafe source could include JavaScript.

The JavaScript could then do things to the website (like read/edit cookies)... which might be by accident (like the JavaScript editing things that happen to be related to gitiles), or it could be intentionally malicious (in effect this creates a "Stored XSS").

nattgris commented 6 years ago

If it's inserted in a sandboxed iframe, it should be safe, though?

larsonreever commented 5 years ago

yes it definitely creates a Stored XSS exploit to steal the identity data of the other user – cookies, session tokens and other information

nattgris commented 5 years ago

Inside a sandbox? How is that possible?