Security issue in Base64 rendering
ahenket opened this issue · 1 comments
ahenket commented
Reported by Epic: Base64 rendering does not do any sandboxing or checking when it creates an iframe. This leaves the door open for active content like an html document containing javascript.
Suggestions:
- Do mimetype checking
- Add sandbox attribute to iframe
ahenket commented
This is regression introduced somewhere after version 3.1.1.
Mitigated by adding the sandbox attribute to iframe, except for PDF. This allows contained PDF to go full screen for example. PDF does not seem to have the additional risks associated with active contents.
Fixed in version 4.0.2 beta 6: 7b294d6