pwneglyph logo

Note

web javascript postmessage html-injection xss origin-check

Send a message a receiver treats as trusted HTML because it skips strict origin and schema checks.

postMessage HTML Injection

postMessage is not dangerous by itself; the danger appears when the receiver treats message data as trusted HTML or trusted commands without strict origin and schema checks.

Why It Works

  • A handler that inserts message.html into the DOM without validating origin/source accepts your attacker-sent payload.

Vulnerable Pattern

  • Widgets or iframes receiving messages like {type, html} and directly inserting html into the DOM.

Exploit Flow

  1. Identify the message format by reading bundled JS or probing with benign messages.
  2. Confirm whether the receiver validates origin, source, both, or neither.
  3. Once HTML is inserted, adapt the payload to the sink context and CSP.

Variations

  • JSON-stringified messages, command messages that later load templates, or message-driven route changes reaching a second sink.

Common Blockers

  • Strict origin checks, structured schema validation, or rendering through text APIs.

PoC Sketch

iframe.contentWindow.postMessage({type:"render",html:"<img src=x onerror=alert(1)>"}, "*");

Good Situations To Use It

  • A page embeds a widget/iframe that renders message HTML.
  • Origin/source checks are missing or weak.
  • The message schema is discoverable.

Sources

  • labossi_2026/web/trusted_support