Hi I am creating a chrome extension where I save a page as a string in the database and then later it Open as dataURI scheme:
d = 'data: text / html; Charset = UTF-8 '+ encoder (' HTML text ') location. Roland (D); The problem with this is that the page, its name is http: // X / , in which I executed, the javascript file Loses its head is considered using the document.write (d) , if in D & lt; Head & gt; ... & lt; / Head & gt; . http: // x / of
But this opens a big vulnerability problem for XSS. At this point when I save the original page, then I am trying to think about the white listing tag ... is there any other way is?
I'm not sure what you get from http: // X / That means, but if you want to copy the website to maintain its website (i.e. the code has been run as if it was downloaded from http: // X / ), then I'm afraid that this is not possible with standard DOM methods (this will be a security vulnerability that bypasses the same-basic security policy).
If you want to run third party source code safely, use it:
& lt; Iframe sandbox src = "data: ..." & gt; & Lt; / Iframe & gt; You can modify the source to properly create the relative URL and include & lt; Base href = "http: // X /" & gt; . / P>
Comments
Post a Comment