How to observe an error in the iframe element with attribute "sandbox"

Question

How to observe an error in the iframe element with attribute "sandbox"

Navigation

#1 by (2 votes)
#2 by (-1 votes)
#3 by (-1 votes)

17

I have in my document a iframe with the sandbox attribute.

With javasript I read a Markdown file and parse using the showdonwjs library and add this result to attribute srcdoc of iframe and result is expected.

However, the files come from users' sources and will be visible to other users, so I use the sandbox attribute.

When in the file Markdown there is a script ... the page where iframe throws an error in console of the browser (obvious if the attribute prevents execution, when there is an attempt should be made for an error).

How can I (if I can) observe this error in javascript ? Know if there was an error?

Thank you in advance.

update

page.html

<!DOCTYPE html>
<html lang="">
<head>
   <title>Teste</title>
</head>
<body id="body">
   <iframe id="frame" sandbox></iframe>

   <script type="text/javascript" src="https://code.jquery.com/jquery-3.1.1.min.js"></script><scripttype="text/javascript" src="https://rawgit.com/showdownjs/showdown/develop/dist/showdown.min.js"></script><scripttype="text/javascript">
       var md = '###Hello Word <script>alert("!")<\/script>';
       var converter = new showdown.Converter();
       var MDtoHTML = converter.makeHtml(md)
       var ifrm = $('#frame')
       ifrm.attr('srcdoc', MDtoHTML);
   </script>
</body>
</html>

jsFiddle Exeplo

Well, this is the error print! It happens then I believe my doubt has a point! You could (if you can "watch") display a popup, banner or even log a log, identify malicious uploaders.

javascript html5 iframe

asked by anonymous 26.10.2016 / 08:39

3 answers

Test if all characters in the first string also appear in the second Global variable in JavaScript

score 2 · Answer 1

There is no way for us to access console values and "observe" the warnings / errors issued by internal javascript libs (v8, chakra, etc). I do not know this functionality in any engine in the current version.

What you could do to get around the problem is to use another template.

For example:

 var md = '###Hello Word <script>alert("!")<\/script>';
 var match = md.match(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi);

 if(match && match.length) {
    console.log('Aqui existe script, devemos emitir um erro para o código malicioso');
    return;
 }

 var converter = new showdown.Converter();
 var MDtoHTML = converter.makeHtml(md)
 var ifrm = $('#frame')
 ifrm.attr('srcdoc', MDtoHTML);

Follow the example link

score -1 · Answer 2

-1

You need to paste a try where the code causes error, and use a catch to handle the error.

You can check out more information on using try..catch declarations on the Mozilla for developers

10.01.2017 / 17:25

score -1 · Answer 3

-1

If try catch does not work, you can try to use a regex in the string before turning Markdown by looking for the script tag and removing.

16.03.2017 / 11:19