Iframe in expanded quote

anon21958287 · October 28, 2014, 9:48am

iframes can be injected into an expanded quote.

Originally noticed here.

anon21958287 · October 28, 2014, 9:48am

Expand this quote to see an iframe.

sam · October 28, 2014, 10:04am

This topic is now unlisted. It will no longer be displayed in any topic lists. The only way to access this topic is via direct link.

sam · October 28, 2014, 10:05am

Looks like a security issue, I unlisted it @zogstrip will look at this ASAP

zogstrip · October 28, 2014, 10:08am

That’s a really good finding @boomzilla. Fixing it!

PJH · October 28, 2014, 12:19pm

XSS?

DoctorJones · October 28, 2014, 7:26pm

That’s an awesome find.

zogstrip · October 28, 2014, 9:59pm

Interesting enough, I couldn’t double escape the cooked version of the post otherwise jQuery wasn’t able to parse it properly… So I had to only slightly double escape it.

https://github.com/discourse/discourse/commit/9b29a23ecee5957974bc5504d0759984fae03043

sam · October 28, 2014, 10:05pm

Yeah I think there is potential to exploit, but not a clear XSS cause the iframe is in a sandbox.

It’s nitpicking though, I say award the XSS badge.

PJH · October 28, 2014, 10:35pm

Installed and confirmed patched on ours.

Topic		Replies	Views
Iframe reference being stripped in editor support	5	578	October 27, 2022
Getting an iframe in discourse support	6	1542	January 24, 2019
Cannot blur/unblur quoted spoiler text after quote is expanded and then collapsed ux pr-welcome	2	610	July 21, 2020
Cannot read property 'whiteListIframe' of undefined support	3	414	May 3, 2019
Support embedding Discourse in an iframe feature	15	7194	April 19, 2024

Iframe in expanded quote

Related Topics