R
redbaks
Hi! I am trying to implement adding widgets to our template editor
(for blogs). I am worried that i might open a window for XSS attacks
so i decided to enveloped all widgets inside an iframe.
whenever a user wants to insert an external widget to his blog, a
script takes over and it will create a dynamic iframe and then the
widget script will be inserted inside the iframe.
i created a dynamic iframe using this code (I simplified it..)
<script>
<!--
function addWidget(code) {
var IFR =document.createElement('iframe');
IFR.name = IFR.id = "iframe-" + new Date().getTime();
IFR.src = "javascript: '<html><head></head><body>" +code + "</body></
html>'";
document.body.appendChild(IFR);
}
</script>
it works fine on most of the widgets, but i am getting problems adding
Google Gadgets.
My questions are:
1. Are there any other way to create a dynamic and passing a dynamic
content on the fly?
2. Is this safe enough or i am a little paranoid on doing this extra
work framing every widgets?
Thanks guys!
(for blogs). I am worried that i might open a window for XSS attacks
so i decided to enveloped all widgets inside an iframe.
whenever a user wants to insert an external widget to his blog, a
script takes over and it will create a dynamic iframe and then the
widget script will be inserted inside the iframe.
i created a dynamic iframe using this code (I simplified it..)
<script>
<!--
function addWidget(code) {
var IFR =document.createElement('iframe');
IFR.name = IFR.id = "iframe-" + new Date().getTime();
IFR.src = "javascript: '<html><head></head><body>" +code + "</body></
html>'";
document.body.appendChild(IFR);
}
</script>
it works fine on most of the widgets, but i am getting problems adding
Google Gadgets.
My questions are:
1. Are there any other way to create a dynamic and passing a dynamic
content on the fly?
2. Is this safe enough or i am a little paranoid on doing this extra
work framing every widgets?
Thanks guys!