zcy
/
svgedit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Critical security fix for embedded editor 

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2723 eee81c28-f429-11dd-99c0-75d572ba1ddd
master
Brett Zamir 2014-03-02 01:11:23 +00:00
parent dd9e3b4864
commit 314bcb2e76
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
editor/embedapi.js
View File

@ -69,13 +69,15 @@ function addCallback (t, data) {
} }
function messageListener (e) { function messageListener (e) {
// We accept and post strings as opposed to objets for the sake of IE9 support; this // We accept and post strings as opposed to objects for the sake of IE9 support; this
// will most likely be changed in the future // will most likely be changed in the future
if (typeof e.data !== 'string') { if (typeof e.data !== 'string') {
return; return;
} }
var data = e.data && JSON.parse(e.data); var data = e.data && JSON.parse(e.data);
if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit') { if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit' ||
e.source !== this.frame.contentWindow // Important security check
) {
return; return;
} }
addCallback(this, data); addCallback(this, data);