Inspired to extend DotNetNuke®, everyday.
Hi,
Our security scan showed that if you enter the following
http://....../default.aspx?au_iframe=www.microsoft.com
you will get through to the microsoft website through the ds_autosize iFrame, is there anyway of controling what urls are allowed through the querystring?
Thanks
Currently this not avaliable. You can disable the feature in the configuration of the module, to prevent the iframe from using the query string feature.
We need the feature to enter URLs but we wouldn't want other people to edit the URL property. Are there any plans on improving this security issue?