Skip to content

[CRITICAL] SSRF/Vulnerability: ProjectCard iframe loads arbitrary URLs #16

Description

@saidai-bhuvanesh

🚨 Security Issue: Arbitrary URL Loading in iframe

Severity: CRITICAL
File: src/components/ui/ProjectCard.jsx

Problem

The iframe directly uses project.demoUrl without validation:

<iframe src={project.demoUrl || `/live/${project.slug}/index.html`} />

Attack Vectors

  1. Phishing: Malicious demoUrl loads fake login pages
  2. XSS via data: URIs: data:text/html,<script>alert(1)</script>
  3. Internal Network Scanning: http://localhost:8080/admin

Fix Required

const ALLOWED = ["github.io", "vercel.app", "netlify.app"];
function isSafe(url) {
  try {
    const u = new URL(url);
    return ALLOWED.some(d => u.hostname.endsWith(d));
  } catch { return false; }
}

Labels: bug, ssoc26

Metadata

Metadata

Labels

bugSomething isn't workinggood first issueGood for newcomersssoc26Main tag identifying the repository for Social Summer of Code 2026

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions