The MU forums have moved to WordPress.org

iframes -- What's the risk? (15 posts)

  1. ekusteve
    Member
    Posted 7 years ago #

    I would like to allow the use of iframes on my mu site. I have figured out how change the code to allow this (evidently it was there in earlier versions, but has been removed). In reading on the "dangers" of allowing iframe use on mu sites, it seems the concerns revolve around spam issues.

    Are there any "security" concerns with allowing iframe use?

    Thanks.

    Steve

  2. drmiketemp
    Member
    Posted 7 years ago #

  3. ekusteve
    Member
    Posted 7 years ago #

    Okay, but I still don't get it.

    That iframe pointed to a server that had an .exe file on it...couldn't someone do the same thing with a normal hyperlink?

    I'm just not understanding the security risk of iframes in Mu when they are used by lots of other web application. I'm not saying there is not a risk (I don't have the expertise to know)....just trying to understand what it is.

    Steve

  4. lunabyte
    Member
    Posted 7 years ago #

    The risk is that you don't know, or control and end user. You simply can limit what they can get away with.

    Point being, someone can link to an exe file. However, the reader knows they are clicking on something. OTOH, with an iframe, they most likely don't have a clue.

    And, and exe file is but one of who knows how many examples. Malicious js, php, or anything else. The end result just isn't good.

  5. mysorehead
    Member
    Posted 7 years ago #

    The upload feature uses an iframe doesn't it?

    So using an iframe isn't necessarily bad when coming from your site or other *trusted* sites but the problem is allowing users put external content into the iframe.

    If you're logged in a naughty iframe could certainly get up to some mischief, adding, changing and deleting content. In the same way that the current upload iframe can send content to the post text box.

    Richard

  6. drmiketemp
    Member
    Posted 7 years ago #

    The upload feature uses an iframe doesn't it?

    Yes but you're not an evil hacker trying to take over other computers now, are you? You have file level access as the site admin. There's a difference.

  7. mysorehead
    Member
    Posted 7 years ago #

    Yes but you're not an evil hacker trying to take over other computers now, are you? You have file level access as the site admin. There's a difference.

    That was exactly my point. ekusteve hasn't said what he wants to put in the iframe. If he's talking about allowing the users to put his own code (and only his own code) I can't see the problem either.

    Richard

  8. ekusteve
    Member
    Posted 7 years ago #

    I'm not sure I have much control over what they put in the iframe, but actually, I just want them to be able to embed things like a Google calendar...like here:

    http://kentuckyclassroom.org/titanpe/school-calendar/

    I do have some control over who creates blogs on my site and I don't allow comments on the site, so my site is "probably" at less (risk from whatever the iframe risk is) than a site that is open to the public.

    Steve

  9. mysorehead
    Member
    Posted 7 years ago #

    Surely google is a *trusted* site.

    Rather than giving full control of a totally open iframe you could (should) make a plugin that takes just the google id from the user. And checks that they aren't trying to add more than the id.

  10. drmiketemp
    Member
    Posted 7 years ago #

    You as the site admin are a trusted site. Joe Hacker who's signed up for a blog and is not known to you is not a trusted site. You don't know who this person is and for all you know, they've set up a blog in an attempt to lift login cookies or spead their virii to as many folks as possible.

  11. ekusteve
    Member
    Posted 7 years ago #

    "...you could (should) make a plugin that takes just the google id from the user."

    What I "could and should" do is not always equivalent to what I "can" do. :-)

    If anyone knows of a pluging that will do this...or that does something similiar and can be hacked to do this...please let me know. I'm pretty good at hacking existing code...I don't have the ability to write this plugin from scratch though.

    Steve

  12. mysorehead
    Member
    Posted 7 years ago #

    Any of the embedded media plugins would work the same way. eg. youtube, anarchy, podpress Look at the function they are using to filter the_content. Also find where they are using strpos and substr (that's how I'd do it anyway)

    In your example you want to include
    '<iframe height="514" width="440" frameBorder="0" src="http://www.google.com/calendar/embed?src=dcrroots01%40gmail.com&height=214"></iframe>'

    but you don't want the user to be able to use the iframe code so you let them add a calendar by something like [google_calendar user=dcrroots@gmail.com] and then use a filter on the_content to change modify the code. All you'd need was strpos and substr as well as some code (maybe the inbuilt kses functions would do this for you anyway) to make sure your bloggers weren't trying to do anything naughty.

    The only part of the code in this example that changes is the users email address and so you hard code all of the code that doesn't change.

    Make sense?
    Richard

    By the way I changed the email address slightly for spam reasons.

  13. ekusteve
    Member
    Posted 7 years ago #

    Thanks Richard...sounds logical. I may give this a try this weekend and see what I can come up with.

    Steve

  14. mysorehead
    Member
    Posted 7 years ago #

    Steve,

    Not sure if you still need this but I've had a go at writing a similar plugin (for scratch today and it does appear to be quite easy)

    // usage: [scratch src="XX"][/scratch]
    
    function rgo_scratch($text) {
    
    $first_part = <<<EOD
    
    	<applet id="ProjectApplet" style="display:block" code="ScratchApplet" codebase="http://richards-mac.local/" archive="ScratchApplet.jar" height="387" width="482">
    	<param name="project" value=
    EOD;
    
    $second_part = <<<EOD
    	>
    	</applet>		
    
    EOD;
    
    	$text = str_replace( '[scratch src=', $first_part, $text);
    	$text = str_replace( '][/scratch]', $second_part, $text);
    
    	return $text;
    
    }
    
    	add_filter('the_content', 'rgo_scratch', 99);

    You just need to a few minor changes to make this work for you.

    Edit: This plugin doesn't do checking to make sure that the scratch BB code is correctly formatted y the author or check if it is complete. Maybe it should. Oh, GPL of course.

    Richard

    PS. This plugin doesn't work! Not sure why the java applet loads but then fails trying to load the project. Oh well.

  15. ekusteve
    Member
    Posted 7 years ago #

    Richard,

    Thanks for the start on this...I'm leaving today for a two-week education conference in Beijing, so I'll probably be "off-line" for a couple of weeks. When I get back I'll take a look at this...I may not be able to do much myself, but I have a "top notch" programmer friend who may be able to help.

    Steve

About this Topic

  • Started 7 years ago by ekusteve
  • Latest reply from ekusteve