Skip to content

Security: Cross-Site Scripting (XSS) via innerHTML in IFrame#500

Open
tomaioo wants to merge 2 commits into
NUKnightLab:masterfrom
tomaioo:fix/security/cross-site-scripting-xss-via-innerhtml-i
Open

Security: Cross-Site Scripting (XSS) via innerHTML in IFrame#500
tomaioo wants to merge 2 commits into
NUKnightLab:masterfrom
tomaioo:fix/security/cross-site-scripting-xss-via-innerhtml-i

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 14, 2026

Copy link
Copy Markdown

Summary

Security: Cross-Site Scripting (XSS) via innerHTML in IFrame

Problem

Severity: High | File: src/js/media/types/IFrame.js:L24

The media_id variable, derived from this.data.url, is directly assigned to innerHTML without sanitization. An attacker can supply a malicious URL in the storymap configuration JSON to inject arbitrary HTML and JavaScript, resulting in DOM-based XSS.

Solution

Do not use innerHTML with untrusted input. If an iframe is required, construct it using document.createElement('iframe') and set its src property directly, ensuring the URL uses an expected protocol (e.g., HTTPS).

Changes

  • src/js/media/types/IFrame.js (modified)
  • src/js/media/types/Blockquote.js (modified)

tomaioo added 2 commits July 14, 2026 12:01
The `media_id` variable, derived from `this.data.url`, is directly assigned to `innerHTML` without sanitization. An attacker can supply a malicious URL in the storymap configuration JSON to inject arbitrary HTML and JavaScript, resulting in DOM-based XSS.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
The `media_id` variable, derived from `this.data.url`, is directly assigned to `innerHTML` without sanitization. An attacker can supply a malicious URL in the storymap configuration JSON to inject arbitrary HTML and JavaScript, resulting in DOM-based XSS.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant