Fix for Cross-Site Scripting (XSS) Vulnerability

[gtsp233]

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in this package.

Vulnerability Details:

• Severity: High/Critical
• Description: There's a risk of malicious script execution when the src of the iframe tag is controlled by an adversary.

Steps to Reproduce:
In a React.js project:

import React from "react";
import ReactDOM from "react-dom/client";
import { useIframe } from "fronts";

function App() {
  useIframe({
    url: "javascript:alert(1)",
    name: "test",
    attrs: {},
    target: document.getElementById("root"),
  });
  return <div />
}

const root = ReactDOM.createRoot(document.getElementById("root"));
root.render(
  <React.StrictMode>
    <Provider store={store}>
      <App />
    </Provider>
  </React.StrictMode>
);

Then the malicious code alert(1) will be executed.

Suggested Fix or Mitigation:
It is best practice for a React.js components package to sanitize the sec attribute before passing it to an <iframe> tag. React.js itself, along with many popular libraries such as react-router-dom and Next.js, also ensures the safety of src attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.

As for the fronts packages, it's expected that the iframe src should not be javascript protocol.

I've already fixed this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability.

If you have any questions, please let me know. Thanks!

[unadlib]

I don't think this is a situation that the framework should have to cover, it should be handled by the developer themselves with settings such as CSP or sandbox, including qualifying trusted urls to secure the iframe.