Problem/Motivation
The Xss::filter() method does not remove srcdoc attributes from iframe tags.
This attribute can be used to inject JS into the page.
The XSS filter removes other dangerous attributes like onclick or onload, so I think it should also remove srcdoc.
Xss::filter() does not allow iframe tags by default, so it needs to be called explicitly with iframe in the $allowed_html_tags parameter to be vulnerable.
You could argue that this is a misuse of the XSS filter, but I think it is an easy mistake to make and it could benefit from this hardening.
This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue.
Steps to reproduce
If someone calls this:
\Drupal\Component\Utility\Xss::filter('<iframe srcdoc="<script>alert(document.cookie)</script>"></iframe>', ['iframe'])
They could expect a safe iframe tag to be returned but instead the returned HTML could contain malicious JS.
Proposed resolution
Remove srcdoc attributes in Xss::attributes().