-2

I'm in a situation where I need a substitute for the " " (space) character when writing an <iframe> (without using the forward slash).

<iframe src="\\12341234">

Is there any creative or interesting ideas for getting something like this to work without any spaces at all?

Even better, is there a way to use an iframe like this:

<iframe>
iframecontentshere
</iframe>
Kaiido
  • 123,334
  • 13
  • 219
  • 285
ex7lted
  • 1
  • 3
  • 2
    Wait a second, which space character are you talking about? The one between `iframe` and `src=`? Could you please clarify the situation that makes you think you need this? – Kaiido Aug 23 '22 at 02:39
  • _"Even better, is there a way to use an iframe like this: ..."_ - are you perhaps looking for the [`srcdoc`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-srcdoc) attribute ...? It is really hard to tell what the question is supposed to be here, or what you actually want to achieve - when you talk about "spaces" no one but you can see, apparently. – CBroe Aug 23 '22 at 10:22
  • @kaiido I'm a red teamer with a focus on web app pen testing. My apologies for the lack of clarity, there is most definitely no practical usage for this special iframe but on a few occasions in the past I've found myself needing an iframe with no spaces because of input sanitation so I finally decided to ask. Your answer was phenomenal, I appreciate it. – ex7lted Aug 23 '22 at 12:05

2 Answers2

0

Space characters in a URL should be encoded as %20.

<iframe src="data:text/html,<h1>I%20have%20spaces.</h1>"></iframe>

Though to be clear, in this case it isn't required.

The closest you can get to what you shown after is the srcdoc attribute.

<iframe srcdoc="
  <h1>Some content</h1>
  <p>Directly in the attribute.</p>
"></iframe>

If you wanted to get rid of absolutely all space characters, even the one between the tag name and the attribute, then you'd need to resolve on JS:

<iframe></iframe><script>document.querySelector("iframe").src="data:text/html,<h1>I%20have%20spaces.</h1>";</script>
Kaiido
  • 123,334
  • 13
  • 219
  • 285
0

Yes as long as you can also run JavaScript. This assumes it is the only iframe in the page:

<iframe></iframe>
<script>document.querySelectorAll('iframe')[0].src="\\12341234";</script>

But this seems dodgy.

reepy
  • 18
  • 3
  • This is precisely what I was looking for and I appreciate the creativity, check my comment that I left for kaiido for more info on why I asked. – ex7lted Aug 23 '22 at 12:07
  • That's exactly one of the solutions in the other answer. – Kaiido Aug 23 '22 at 12:22