hackmdio/codimd

<iframe> tag cause open redirect

Open

#959 创建于 2018年9月18日

在 GitHub 查看
 (2 评论) (0 反应) (0 负责人)JavaScript (1,038 fork)batch import
Hacktoberfesthelp wantedsecurity

仓库指标

Star
 (8,949 star)
PR 合并指标
 (30 天内没有已合并 PR)

描述

If the source website has the script like this:

<script type="text/javascript">
if(window != top) {
    top.location.href = location.href;
}
</script>

It may cause a open redirect issue on codimd. I use www.plurk.com which has anti-clickjacking code to demo.

Demo Link in demo.codimd.org

<iframe src="https://www.plurk.com/k1tten_">

Broswer verison:

Safari 11.0.2: triggered
Firefox Quantum 62.0 : triggered
Chrome 68.0.3440.106: not triggered

贡献者指南