zcy
/
svgedit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Potentially breaking change: Prevent setting of extPath via URL and prevent setting of cross-domain or cross-folder extensions via URL, i.e., if the extensions string possesses the character ":", "/", or, to be extra safe, "\", (issue #4 of mailing list post "Agenda for resolving security issues"). extPath and extensions can still be meaningfully set freely via setConfig calls, e.g., "svgCanvas.setConfig({extPath: ..., extensions: ...});" if made before Editor.init() is called in svg-editor.js (which is called on a jQuery ready (i.e., DOMContentLoaded) event). To avoid modifying svg-editor.html, one could build an extension which loaded its own scripts as done by the simple extFunc() function in svg-editor.js, but this would occur a little later (Should we export extFunc() for this usage?). 

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2671 eee81c28-f429-11dd-99c0-75d572ba1ddd
master
Brett Zamir 2014-02-10 05:33:05 +00:00
parent bc3f7923e0
commit 7295eece09
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
editor/svg-editor.js
View File

@ -234,17 +234,21 @@
urldata.dimensions = urldata.dimensions.split(','); urldata.dimensions = urldata.dimensions.split(',');
} }
if (urldata.extensions) {
// For security reasons, disallow cross-domain extensions via URL
urldata.extensions = (urldata.extensions.indexOf(':') > -1) ? '' : urldata.extensions.split(',');
}
if (urldata.bkgd_color) { if (urldata.bkgd_color) {
urldata.bkgd_color = '#' + urldata.bkgd_color; urldata.bkgd_color = '#' + urldata.bkgd_color;
} }
if (urldata.extPath && urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL if (urldata.extensions) {
delete urldata.extPath; // For security reasons, disallow cross-domain or cross-folder extensions via URL
urldata.extensions = urldata.extensions.match(/[:\/\\]/) ? '' : urldata.extensions.split(',');
}
// Disallowing extension paths via URL for
// security reasons, even for same-domain
// ones given potential to interact in undesirable
// ways with other script resources
if (urldata.extPath) {
delete urldata.extPath;
} }
svgEditor.setConfig(urldata); svgEditor.setConfig(urldata);