data: URL wrapper
Check whether data:text/html is allowed in wrapper URL attributes such as iframe, object, embed, or link previews.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Block data: by default in URL attributes such as src, data, and href
- If data: is required, restrict it by MIME type, such as images only
- Check whether wrapper tags can create unsandboxed HTML documents
Payload
Payload to copy
Checks whether a data: child document can execute script and message its parent.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
data:text/htmllooks like a URL, but the browser can treat it as a fresh HTML document.- A sanitizer can allow a tag while accidentally leaving its URL policy too broad, making iframe/object/embed combinations dangerous.
- Embed features need URL protocol policy, host allowlists, sandbox, and referrer policy in addition to tag allowlists.