What are the security risks of allowing users to add iframes?

In my web app I’m using a good sanitizer which let’s me to whitelist some specific html tags.
I’d like to allow <iframe> so that users can insert youtube videos and so on.
However I’m worried about vulnerabilities that this approach would introduce.
So not sure this is a safe idea.
Appreciate your hints about this.

Information Security Asked on November 21, 2021

1 Answers

One Answer

"As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware. There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe." - Shamelessly stolen from this thread.

However your web app could be vulnerable if there is XSS vulnerability inside the iframe content. You can mitigating this by setting the sandbox attribute.

Answered by maximillian1 on November 21, 2021

Add your own answers!

Related Questions

SNMP Enumeration

1  Asked on January 21, 2021 by 1afx0


Fixing BLE Passkey Entry with SRP

0  Asked on January 21, 2021 by compsciguy


Help in Suricata rule bitmask syntax problem

1  Asked on January 18, 2021 by khalid


Challenge-Response authentication and SSL

1  Asked on January 16, 2021 by thunderbolt


Network intrusion security warning in router logs

2  Asked on January 15, 2021 by helpme123


Securing Android Application API access

1  Asked on January 13, 2021 by a-android-ucg


Sqlmap and multipart/form-data forms

2  Asked on January 8, 2021 by brigante


Shared Text Content – XSS Safe

1  Asked on January 8, 2021 by newb-4-you-bb


Ask a Question

Get help from others!

© 2021 All rights reserved.