To observe an error in the iframe element with "sandbox" attribute

Asked

Viewed 421 times

18

I have in my document one iframe with the attribute sandbox.

With javasript i do reading a file Markdown and parse using the library showdonwjs and add that result to the attribute srcdoc of iframe and the result is the expected.

However the files come from the origin of the users and will be visible to other users so I make use of the attribute sandbox.

When in the file Markdown there is a script... the page where the iframe throws an error in the console browser (obvious if the attribute prevents execution, when there is an attempt there must be an error).

How can I (if I can) observe this error in javascript? Know if there’s been a mistake?

Thanks in advance.

update

page.html

<!DOCTYPE html>
<html lang="">
<head>
   <title>Teste</title>
</head>
<body id="body">
   <iframe id="frame" sandbox></iframe>

   <script type="text/javascript" src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
   <script type="text/javascript" src="https://rawgit.com/showdownjs/showdown/develop/dist/showdown.min.js"></script>
   <script type="text/javascript">
       var md = '###Hello Word <script>alert("!")<\/script>';
       var converter = new showdown.Converter();
       var MDtoHTML = converter.makeHtml(md)
       var ifrm = $('#frame')
       ifrm.attr('srcdoc', MDtoHTML);
   </script>
</body>
</html>

jsFiddle Exeplo

Well that is the print of the said error! It happens so I believe that my doubt has at least sense! Could (if possible "observe") display a pop-up, banner or even log, identify malicious Uploaders.

inserir a descrição da imagem aqui

javascript html5 iframe

  • You can do a jsFiddle with an example of what you’re doing?

  • I even tried using the bad Fiddle I could not. I will update the question and put part of the code.

  • Added example in jsFiddle: https://jsfiddle.net/hgmzov4g/

  • Related: http://answall.com/q/142711/3635

  • I didn’t see what could be related. In the example question the user wants to run javascript in iframe Sandboxed which is exactly what I don’t want.

  • Unrelated is not the same, if you look at the code I explain how to get the log, isn’t that what you want? And understand that related does not mean duplicated, the link only serves to help future visitors ;)

  • @Guilhermenascimento I didn’t say "duplicated"... but I think you read the question not the content of it. Mine iframe does not have permissions on the attribute sandbox that is, it does not execute scripts.

  • @Guilhermenascimento Truth that I do not know where the error is thrown but I believe to be the document that carries the iframe. I followed (yesterday) your link and tested with a iframe no permissions and the error was the same until "printei" your example https://i.stack.Imgur.com/y8Eac.png

  • The message says that allow-script was not set, but the example I posted has yes this: <iframe id="fiddle-sandbox" sandbox="allow-same-origin allow-scripts allow-popups allow-forms allow-modals"></iframe>, I’ll test it here.

  • Like I said, you didn’t read my question. My iframe does not have permissions in the sandbox attribute... to test your example I removed the permissions because "the idea is not to execute javascript in iframe" I only want to "observe" this exception to be able to treat or show an alert (in the source document)

  • @Excuse me for asking, but what would this information be used for? I mean, even if you identify that there is javascript in the user’s markdown that doesn’t mean immediately that it is malicious. After all, markdown supports javascript examples.

  • @Lauromoraes I have been researching about your question today for a long time, I believe it is not possible to capture this exception because it happens inside the iframe in sandbox mode, that is, not even the view that exposes it has access since allow-same-origin is not enabled. My suggestion is: try to implement or search for a javascript Sanitizer to check the user input, if the input does not pass in one of these Sanitizer means that it has a possible "malicious" code, it is an exit to your problem

  • Because it is I searched in MDN, in W3C and in HTML SPEC and I find a hundred (seriously hundred) sites and nothing. I find it strange if it was to what seems an internal treatment of the browser I could not even find reference on Chrome or Firefox...

  • @Lauromoraes as he did not use the arroba @GuilhermeNascimento I didn’t get your message, some time ago, you said I didn’t read it, but that’s not what I meant, the problem is I’m trying to explain one thing to you and you’re clinging to another. I was just explaining the control that it is possible to have over IFRAME through the attribute sandbox="...". I did not say that your iframe possesses, I said just the opposite. I cannot say that it is possible to get the errors of the console directly from iframe, but it is possible to obtain in the global scope. There is a link on the subject, I will post here.

Show 9 more comments

3 answers

2

There is no way we can access the values of the console and "observe" the warnings / errors issued by the internal javascript libs(V8, chakra, etc). I don’t know this functionality in any engine in the current version.

What you could do to get around the problem presented is to use another model.

For example:

 var md = '###Hello Word <script>alert("!")<\/script>';
 var match = md.match(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi);

 if(match && match.length) {
    console.log('Aqui existe script, devemos emitir um erro para o código malicioso');
    return;
 }

 var converter = new showdown.Converter();
 var MDtoHTML = converter.makeHtml(md)
 var ifrm = $('#frame')
 ifrm.attr('srcdoc', MDtoHTML);

Follow the example https://jsfiddle.net/hgmzov4g/7/

  • sorry más do not consider this "technique" useful to filter (which is not the case because the case is to prevent) the use of javascript since there are endless possibilities to execute javascript in the document without necessarily declaring a tag <script> examples https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME

  • ha, as for my comment that "it may be an internal treatment" I did not mean to observe this treatment (possibly internal) but not to find reference in the documentation of the specification or the browsers Chromium (which is also the basis of Chrome) and Firefox that has the open source.

-2

If Try catch doesn’t work, you can try using a regex on the string before turning Markdown looking for the tag script and pulling out.

  • 2

    Grateful for the bad answer try\catch does not capture this error. Tested in Chrome, Firefox and Opera

-2

You need to glue one Try where the code causes error, and use a catch to handle the error.

You can check more information on how to use statements Try.. catch on the website Mozilla for developers

  • 1

    Grateful for the bad answer try\catch does not capture this error. Tested in Chrome, Firefox and Opera

Browser other questions tagged javascript html5 iframe

You are not signed in. Login or sign up in order to post.