XF 2.2 Post with Iframe causes failure

[klamm]

One of my users posted some BBcode with IFrame and it causes XF to crash.
Look here: https://www.klamm.de/forum/threads/traffic-bombe-de-trafficwerbung-discounter.465748/post-7928106
Problem: The IFrame renders, although it's encoded in the source !?

 

[Chris D]

What did they actually post? Can you edit the post and see the post content or retrieve it from the database?

 

[klamm]

That's what's in the DB
xf_post -> message

[IMG]https://bewegendes4u.de/img/smileys/077.gif[/IMG]

Da isser wieder :mrgreen:
Wie sagt man so schön: Jeder hat seine Chance verdient, etwas besser zu machen.

Ich war so frei und habe mal was gebucht. Ergebnis = Besucheranzahl unter ferner liefen.

Was mir aber aufgefallen ist (auf der Seite, auf der die Werbung eingebunden wird:

[B][COLOR="Red"]<iframe src='https://hubu.fm' width='0' height='0' scrolling='no' frameborder='0' marginwidth='0' marginheight='0'>[/COLOR][/B]

Könntest Du allen Nichtwissenden mal erklären, was diese Zeile bedeutet? Und allen Wissenden erkläre bitte, warum u.A. diese Zeile in Deinem Script verwendet wird.

Ewig grüßt das Murmeltier

 

[Chris D]

<iframe src='https://xenforo.com' width='0' height='0' scrolling='no' frameborder='0' marginwidth='0' marginheight='0'>

 

[klamm]

Removing [ URL ] from the source now, causes the IFrame to render

Does not render:

[B][COLOR=Red]<iframe src='[URL]https://xenforo.com[/URL]' width='0' height='0' scrolling='no' frameborder='0' marginwidth='0' marginheight='0'>[/COLOR][/B]

Renders:

[B][COLOR=Red]<iframe src='https://xenforo.com' width='0' height='0' scrolling='no' frameborder='0' marginwidth='0' marginheight='0'>[/COLOR][/B]

 

[Chris D]

Well, thankfully (for us ) that doesn't happen here.

This isn't a bug.

In fact, it doesn't happen for me in Chrome, either, but that's because I run uBlock...

If I disable uBlock, the iframe loads.

One of your ads is parsing escaped HTML and rendering it. Remove your ads immediately and do not re-enable them until you can ensure this issue has been fixed.

This could be a security disaster for your site if it enables escaped <script> tags to be rendered also.

 

[klamm]

One of your ads is parsing escaped HTML and rendering it. Remove your ads immediately and do not re-enable them until you can ensure this issue has been fixed.

Thanks for noting this.
I found & disabled these Ads!