zcy
/
svgedit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Security fix (minor): For embedded API, avoid chance for arbitrary property 

setting (though this was only for trusted origins anyways)
- Security fix (minor): For embedded API example, copy params to iframe
    source without XSS risk (though params should already be XML-safe
    given `encodeURIComponent` and lack of a single quote attribute context)
- Linting (LGTM): Flag origin-checked item as safe
- Refactoring: Destructuring, ellipsis
- Docs (JSDoc): Missing return value
master
Brett Zamir 2018-09-22 10:06:25 +08:00
parent dab1ff81af
commit fbffc86503
4 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
dist/extensions/ext-xdomain-messaging.js vendored
View File

@ -7,6 +7,16 @@ var svgEditorExtension_xdomain_messaging = (function () {
return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj;
};
var toConsumableArray = function (arr) {
if (Array.isArray(arr)) {
for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) arr2[i] = arr[i];
return arr2;
} else {
return Array.from(arr);
}
};
/**
* Should not be needed for same domain control (just call via child frame),
* but an API common for cross-domain and same domain use can be found
@ -45,7 +55,9 @@ var svgEditorExtension_xdomain_messaging = (function () {
id: cbid
};
try {
message.result = svgCanvas[name].apply(svgCanvas, args);
// Now that we know the origin is trusted, we perform otherwise
// unsafe arbitrary canvas method execution
message.result = svgCanvas[name].apply(svgCanvas, toConsumableArray(args)); // lgtm [js/remote-property-injection]
} catch (err) {
message.error = err.message;
}

8
editor/embedapi-dom.js
View File

@ -68,12 +68,12 @@ $('#exportPDF').click(exportPDF);
const frameBase = 'https://raw.githack.com/SVG-Edit/svgedit/master';
// const frameBase = 'http://localhost:8001';
const framePath = '/editor/xdomain-svg-editor-es.html?extensions=ext-xdomain-messaging.js';
const iframe = $(`<iframe src="${frameBase}${framePath}` +
const iframe = $('<iframe width="900px" height="600px" id="svgedit"></iframe>');
iframe[0].src = frameBase + framePath +
(location.href.includes('?')
? location.href.replace(/\?(.*)$/, '&$1')
: '') + // Append arguments to this file onto the iframe
'" width="900px" height="600px" id="svgedit""></iframe>'
);
: ''); // Append arguments to this file onto the iframe
iframe[0].addEventListener('load', function () {
svgCanvas = new EmbeddedSVGEdit(frame, [new URL(frameBase).origin]);
// Hide main button, as we will be controlling new, load, save, etc. from the host document

13
editor/embedapi.js
View File

@ -44,14 +44,14 @@ function getCallbackSetter (funcName) {
* @param {JSON} data
* @returns {undefined}
*/
function addCallback (t, data) {
const result = data.result || data.error,
cbid = data.id;
if (t.callbacks[cbid]) {
if (data.result) {
function addCallback (t, {result, error, id: cbid}) {
if (typeof cbid === 'number' && t.callbacks[cbid]) {
// These should be safe both because we check `cbid` is numeric and
// because the calls are from trusted origins
if (result) {
t.callbacks[cbid](result);
} else {
t.callbacks[cbid](result, 'error');
t.callbacks[cbid](error, 'error');
}
}
}
@ -340,6 +340,7 @@ class EmbeddedSVGEdit {
* @param {string} name
* @param {ArgumentsArray} args Signature dependent on function
* @param {module:EmbeddedSVGEdit.GenericCallback} callback
* @returns {Integer}
*/
send (name, args, callback) {
const t = this;

4
editor/extensions/ext-xdomain-messaging.js
View File

@ -33,7 +33,9 @@ export default {
id: cbid
};
try {
message.result = svgCanvas[name].apply(svgCanvas, args);
// Now that we know the origin is trusted, we perform otherwise
// unsafe arbitrary canvas method execution
message.result = svgCanvas[name](...args); // lgtm [js/remote-property-injection]
} catch (err) {
message.error = err.message;
}