Is it safe to use iframe to prevent malicious files - html

I am making a web based chatting platform where people can chat and also they can share files. If any hacker inject a malicious file then there is a risk my website maybe got hacked. I am just thinking about embedding the files shared by users from a different domain name with different hosting so the script will look like -
<iframe src="server-url.com?file=filename.ext" ></iframe >
And iframe src URL will response by
<html>
<head></head>
<body>
<img src="filename.ext" >
</body>
</html>
Is this technique prevent my website from getting hacked? If not, what is the best way to protect my website from malicious files?

Now it all depends on the site you are using the iframe attribute for. If the site is secure and has SSL (Referring to the 3rd party site you are iframing) then you should be good.
Now if you did want to make it secure, you could use the "Sandbox" attribute. I have a link below from W3 schools that explains more about it. Sandbox will usually block most content, but there are attribute values that allow you to make exceptions
For example, let's say your iframe chat uses scripts to function, you could do something like this
<iframe src="server-url.com?file=filename.ext sandbox="allow-scripts"></iframe >
Information about iframe sandbox from W3 schools

Related

how to redirect the page but not change browser's url?

in my project i gave people a restful link,the link would redirect to a page with a lot of params ,i hope people to copy and share the short address instead of the long one.
i use redirect to do it but when the page redirecting, the url on the web browser also change, is there a way to avoid this?
i give a try to use iframe to build an inner page,that seems works,at least on ie10,newest fireforx and chrome
<html><body style="margin:0;padding:0"><iframe src="http://xxxxxx" height="100%" width="100%" frameborder="0"></iframe></body></html>
but it didn't work on some page for example 'www.google.com',and it is said it used x-frame options, but that's the case i didn't need to worry,2 domains both owned by the project. so would that be a solved problem?
Yes. X-Frame option is set if the website doesn't want u to run it in a frame on another domain. Its safe if you want to only run it on your sites. The sites must not have this header or the browser won't allow it to be loaded

Is it dangerous to let user embed images from their own urls?

Would it compromise the security of a website if users were allowed to create img tags with whatever src attribute they wanted?
What kind of damage would be possible?
Allowing arbitrary src values on an <img> element would allow Cross-Site Scripting and thus the execution of arbitrary JavaScript code on your page:
<img src="javascript:…">
It could also be used to forge arbitrary GET requests, similar to Cross-Site Request Forgery but with a referrer originating from your site.
can also be exploited to track your website visitors by using a web bug http://en.wikipedia.org/wiki/Web_bug

How to add a redirect to a web page where you have limited user priveledges

The company I work for has replaced our previously very flexible website with a much more restrictive "website in a box" technology. I have my web pages hosted on Google Sites and would like to redirect people to those pages. When I attempt to do this via javascript it gets stripped from the page when its saved. I do not have access to the section to attempt the depreciated method of redirecting.
Is there another method available to automatically redirect a customer other than just posting a link in a restricted environment like this?
If you're limited to using HTML to do the redirect, you can use a meta redirect:
<meta http-equiv="refresh" content="0; url=http://example.com/">
Though note that its use is deprecated because it may be disorienting to the user. In addition to the <meta> tag, you can add <link rel="canonical" href="http://example.com/"> to let search engines know that the targeted page is the canonical one.
Edit: if Google Sites won't allow you to change the <head> HTML, the Javascript, or the PHP, then it's time to go searching for solutions within Google Sites itself. One solution that pops up pretty frequently in searches seems to be using a URL Redirect Gadget.
On the page you want to redirect from, click the Edit Page button, then Insert Menu, then More Gadgets. Once there, search for "redirect gadgets" and some widgets that should help will show up.
These instructions are based on advice given in the Google Products forums. I don't have a Google Site myself, so I can't verify that they work.

HTML <base> tag in email

We have a content-managed solution (SDL Tridion, to be specific; however, the question is more general), which includes multiple sites with content of different languages. They all share a number of Razor-based templates, which are used to render HTML fragments with specific injected content when pages are published.
CRM is also managed through the CMS and the same templating is used for the creation of email newsletters. These HTML emails contain images, which are published out to whatever site manages the distribution list in question. Because the templating system is generic and the CMS has no concept of the absolute URLs of the final product, these images are all embedded with relative addresses. We have the capacity to apply an absolute URL as metadata to the different websites in the CMS and write .Net extensions to format these URLs into rendered image tags; however, this would add considerable overhead to this piece of work.
We can resolve this by using a <base href="..." /> tag in the <head> section of the email's markup. This seems to work in Outlook, at least; however, I have not been able to find much up-to-date information on what email clients do and do not support this tag.
The question, then: How widely supported among email clients - particularly browser-based ones - is the <base> tag?
Unfortunately, it won't work for most web-based email clients (Hotmail, Gmail) and that typically adds up to about 30% of receivers.
Why it won't work:
Most web-based clients inject whatever's inside the body tag of your email and strip out everything else, including the head. So, if you send:
<html>
<head><base ...></head>
<body><p class="youremail">Email</p></body>
</html>
The email client does this:
<html>
<head><Email client head></head>
<body>
<email client wrapper>
<email>
<p class="youremail">Email</p>
</email>
<email client wrapper>...
</body>
So your base tag will be stripped. Even if it wasn't, since it's not include in the email client's head, it will be ignored by the browser.
Unfortunately, absolute paths on images is the way to go. I have got over similar problems in the past by using a 'preflight processor'. You could use that to get the <base> href and set it on all the images before returning the finished HTML.
I couldn't tell if your using Razor or not, but if you are, you can do this inside a razor view:
src="#Request.Url.GetLeftPart(UriPartial.Authority)~/images/screenshot.png"

Embedding iframe in Wikimedia based Wiki

I have been trying to embed an iframe to a wiki page that I'm working on based on wikimedia but not the actual wikipedia without any luck.
I've also tried googling on this topic, but have been fruitless. Will appreciate any advice on this pls.
Thks.
There's the easy way and the slightly harder way.
The easy way assumes you don't have a publicly editable wiki (i.e. non-logged in users cannot edit and creating an account is not automatic).
If that's the case, simply set $wgRawHtml to true and you will be able to input any arbitrary HTML into your pages by wrapping it inside the <html> tag.
Here's an example:
This is '''wikitext'''.
<html>
This is <em>HTML</em>.
</html>
Now, if you have a publicly editable wiki you most definitely don't want users to be able to add any and all HTML to your wiki. In that case you can use the Verbatim extension. This will embed the contents of a page in the MediaWiki namespace as-is, preserving any HTML markup.
For example:
<verbatim>Foo</verbatim>
Would embed the contents of MediaWiki:Foo.
Hope that helps.
I suggest you use the IDisplay extension.
The iDisplay extension allows MediaWiki pages to embed external web pages. It also allows setting an option to put a blocking page in front of it, so you prevent loading the page until the user wants to load the page.
It's implemented with an <iframe>.