Adbusters for WordPress
A WordPress plugin that loads a set of iframe busters for popular ad networks.
Have you found a bug, or have a feature request? Github pull requests are warmly received. :)
Guidelines for iFrame Busters
The following are common XSS vulnerabilities found in iFrame busters.
- Unescaped URL parameter values
- Parameters that accept any domain
Unescaped URL parameter values
Special characters should be removed or converted into their equivalent HTML/hex entity. The characters in the following table can be used to write malicious code on the page.
Character => HTML Entity & => & < => < > => > " => " ' => ' / => /
Parameters that accept any domain
When passing a domain as a parameter to write a script tag onto the page, it should be restricted to an approved domain(s).
Examples of Safe iFrame Busters
XSS Attack Prevention Guidelines
Further guidelines can be found at ha.ckers.org/xss.html, which covers the above rules as well as many others.