What are the security risks of allowing users to add iframes?

Information Security Asked on November 21, 2021

In my web app I’m using a good sanitizer which let’s me to whitelist some specific html tags.
I’d like to allow <iframe> so that users can insert youtube videos and so on.
However I’m worried about vulnerabilities that this approach would introduce.
So not sure this is a safe idea.
Appreciate your hints about this.

One Answer

"As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware. There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe." - Shamelessly stolen from this thread.

However your web app could be vulnerable if there is XSS vulnerability inside the iframe content. You can mitigating this by setting the sandbox attribute.

Answered by maximillian1 on November 21, 2021

Add your own answers!

Related Questions

NTRUEncrypt in TLS and GPG encryption

3  Asked on November 17, 2020 by rubo77


XXE Injection in docx: entity not defined

1  Asked on November 5, 2020 by sorokine


How to send cookie to API on seperate domain in safari

1  Asked on October 29, 2020 by harrison-lucas


Pentesting Webserver Dead End (MySQL White Listing Bypass)

1  Asked on October 25, 2020 by cromwell-rosalin


Proxying MetaSploit through BurpSuite

1  Asked on October 16, 2020 by python


Why would hackers attack a DNS server with a DoS?

1  Asked on September 1, 2020 by alexis-wilke


OIDC Hybrid flow

1  Asked on August 21, 2020 by pdstat


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP