srcdoc in iframe not escaped correctly
See original GitHub issueDescribe the bug
Content in srcdoc attribute of iframe needs additional escaping of &
character. HTML spec.
For example <
needs to be escaped to &lt;
This shows when trying to display HTML escaped content inside <pre>
Report has iframe with content unescaped. When I open the attachment HTML file directly, it is escaped.
To Reproduce Steps to reproduce the behavior:
- Add HTML attachment with
<pre><h1>should be escapedd</h1></pre>
Expected behavior Escaped HTML tags remain escaped inside iframe in report
Attachments JSFiddle with current behavior link JSFiddle with expected behavior link
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top Results From Across the Web
srcdoc in iframe not escaped correctly · Issue #263 - GitHub
Report has iframe with content unescaped. When I open the attachment HTML file directly, it is escaped. To Reproduce Steps to reproduce the ......
Read more >How to escape script tag within iframe src? - Stack Overflow
You should provide the path to your src attribute and the content should load within your iframe. Example: const a = document.
Read more >Use <iframe> contents if srcdoc is present but empty - WICG
Namely, correctly munging raw hostile text so that it can't escape the sandbox is relatively difficult in a full HTML context, but is...
Read more >The iframe srcdoc Attribute | #! code
This helps render the page correctly as all of the double quotes would otherwise need to be escaped. This works, but unfortunately the...
Read more >New Relic Browser script breaks iframe srcdoc
New Relic browser monitor code is injected into the srcdoc attribute but because it is in an attribute the double quote (") from...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I think that this also applies to escaping
"
inEmbedding.decodeData(string)
. It shouldn’t be converted to'
but to"
. Citing the specAnd remember to escape ampersands before quotation marks, to ensure quotation marks become " and not &quot;
.So if I understand this correctly fix would be in Embedding.java
decodedData.replaceAll("&", "&").replaceAll("\"", """);
I don’t quite follow your question. I am not an expert in software security.