From 66a1f910b042a48fba1b992fe4fa61c463fe7e95 Mon Sep 17 00:00:00 2001
From: 2betop <2betop.cn@gmail.com>
Date: Wed, 9 Dec 2020 13:20:54 +0800
Subject: [PATCH] =?UTF-8?q?xss=20=E9=97=AE=E9=A2=98=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/renderers/IFrame.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/renderers/IFrame.tsx b/src/renderers/IFrame.tsx
index ca6ad21b7..c09fdde62 100644
--- a/src/renderers/IFrame.tsx
+++ b/src/renderers/IFrame.tsx
@@ -157,6 +157,13 @@ export default class IFrame extends React.Component<IFrameProps, object> {
       ...tempStyle,
       ...style
     };
+
+    const finalSrc = src ? buildApi(src, data).url : undefined;
+
+    if (typeof finalSrc === 'string' && /javascript\:/.test(finalSrc)) {
+      return <p>请填写合法的 iframe 地址</p>;
+    }
+
     return (
       <iframe
         className={className}
@@ -164,7 +171,7 @@ export default class IFrame extends React.Component<IFrameProps, object> {
         style={style}
         ref={this.IFrameRef}
         onLoad={this.onLoad}
-        src={src ? buildApi(src, data).url : undefined}
+        src={finalSrc}
       />
     );
   }