You cannot use
data: url, then the JS execution will be on a different domain.
But there is more than the
src attribute you can exploit
srcdoc attribute allow you to pass the HTML document as an attribute. On top of that the iframe will be considered as same-site.
The attribute is still going through sanitation, but you can try to use different encoding to bypass the filters.
srcdoc and HTML encoding, you can bypass the filters and trigger the alert.
In the solution the 's' in script are replace by the htmlencoded version
Since we are in a frame, we need to access the name of the parent frame.