User:BWolff (WMF)/CSP/3
< User:BWolff (WMF) | CSP
An example
editConsider the widgets extension. This is a MW extension that allows Admins to create templates of HTML snippets that normal users can (ideally safely) embed into a page. If the widget doesn't use escaping properly, this can result in an XSS.
As an example, consider the iframe widget, it allows users to embed an iframe into a page. However it doesn't properly escape quotes (") in the url, meaning that a url like https://example.com"onload="doEvilStuff() is taken to mean use the url example.com, and once it loads take over browser and do something evil.