MediaWiki

User:BWolff (WMF)/CSP/3

< User:BWolff (WMF)‎ | CSP

An example

edit

Consider the widgets extension. This is a MW extension that allows Admins to create templates of HTML snippets that normal users can (ideally safely) embed into a page. If the widget doesn't use escaping properly, this can result in an XSS.

As an example, consider the iframe widget, it allows users to embed an iframe into a page. However it doesn't properly escape quotes (") in the url, meaning that a url like https://example.com"onload="doEvilStuff() is taken to mean use the url example.com, and once it loads take over browser and do something evil.


next

Retrieved from "https://www.mediawiki.org/w/index.php?title=User:BWolff_(WMF)/CSP/3&oldid=3188454"