iframe reflective XSS attack

[hex0xf]

Describe the bug

function Test () {
  let i = 'javascript:alert(1);'
  return (
    <iframe src={i} />
  )
}

When setting javascript:alert(1) on the iframe's src, an XSS attack will be triggered. This always happens on both the server and client sides. React's setProp handles src and href separately, filtering out this potential risk. I think this risk should be addressed at the framework level.

Your Example Website or App

https://playground.solidjs.com/anonymous/c9f1616a-47c3-4b50-870b-f4ab9c9d2b3f

Steps to Reproduce the Bug or Issue

View case

Expected behavior

no alert

Screenshots or Videos

No response

Platform

• OS: [e.g. macOS, Windows, Linux]
• Browser: [e.g. Chrome, Safari, Firefox]
• Version: [e.g. 91.1]

Additional context

No response

[titoBouzout]

Security issues are taken seriously and MUST be reported via email to [email protected].

Please do not report or discuss these on GitHub, send the email and give time to get a reply. Thanks

[titoBouzout]

Thanks for the issue. Just for the record, we have discussed internally this a little bit.

Included a reference to this particular issue by amending our security suggested practices page.

Just to not keep things in the dark, whats being considered is to provide/adopt patterns that minimize/remove this risk and related ones. As opposed to runtime-check everything.

[hex0xf]

Considering that this variable is obtained from the URL, it will become a reflected XSS attack. Therefore, it is necessary to insert a filter when compiling it into href.