User:BWolff (WMF)/CSP/3

An example
Consider the widgets extension. This is a MW extension that allows Admins to create templates of HTML snippets that normal users can (ideally safely) embed into a page. If the widget doesn't use escaping properly, this can result in an XSS.

As an example, consider the iframe widget, it allows users to embed an iframe into a page. However it doesn't properly escape quotes (") in the url, meaning that a url like https://example.com"onload="doEvilStuff is taken to mean use the url example.com, and once it loads take over browser and do something evil.

next