Fix security issue by avoiding use of eval() within postMessage calls between embedAPI and main editor (also namespace the messages and protect the imagelib extension message listener from non-string messages); avoid embedAPI's unneeded randomizing of callback IDs in favor of incrementing; deprecate old embedded_svg_edit API name in favor of JS/JSLint-friendly EmbeddedSVGEdit name (and allow it to be instantiated w/o new keyword); JSLint/HTML5-ize embedAPI files, remove HTML5/browser-optional type="text/javascript", remove unused comments for embedAPI

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2585 eee81c28-f429-11dd-99c0-75d572ba1ddd
master
Brett Zamir 2013-10-13 23:59:32 +00:00
parent 109cbaf99b
commit ffde8814ac
4 changed files with 92 additions and 95 deletions

View File

@ -1,19 +1,23 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>Embed API</title>
</head>
<body>
<script type="text/javascript" src="embedapi.js"></script>
<script type="text/javascript">
var svgCanvas = null;
<script src="jquery.js"></script>
<script src="embedapi.js"></script>
<script>
/*globals $, EmbeddedSVGEdit*/
$(function () {'use strict';
var svgCanvas = null;
function init_embed() {
var frame = document.getElementById('svgedit');
svgCanvas = new embedded_svg_edit(frame);
// Hide main button, as we will be controlling new/load/save etc from the host document
var doc = frame.contentDocument || frame.contentWindow.document;
var mainButton = doc.getElementById('main_button');
var doc, mainButton,
frame = document.getElementById('svgedit');
svgCanvas = new EmbeddedSVGEdit(frame);
// Hide main button, as we will be controlling new, load, save, etc. from the host document
doc = frame.contentDocument || frame.contentWindow.document;
mainButton = doc.getElementById('main_button');
mainButton.style.display = 'none';
}
@ -33,10 +37,20 @@
function saveSvg() {
svgCanvas.getSvgString()(handleSvgData);
}
// Add event handlers
$('#load').click(loadSvg);
$('#save').click(saveSvg);
// Export globals
window.init_embed = init_embed;
});
</script>
<button onclick="loadSvg();">Load example</button>
<button onclick="saveSvg();">Save data</button>
</head>
<body>
<button id="load">Load example</button>
<button id="save">Save data</button>
<br/>
<iframe src="svg-editor.html" width="900px" height="600px" id="svgedit" onload="init_embed()"></iframe>
<iframe src="svg-editor.html" width="900px" height="600px" id="svgedit" onload="init_embed();"></iframe>
</body>
</html>

View File

@ -1,42 +1,10 @@
/*
function embedded_svg_edit(frame){
//initialize communication
this.frame = frame;
this.stack = []; //callback stack
var editapi = this;
window.addEventListener("message", function(e){
if(e.data.substr(0,5) == "ERROR"){
editapi.stack.splice(0,1)[0](e.data,"error")
}else{
editapi.stack.splice(0,1)[0](e.data)
}
}, false)
}
embedded_svg_edit.prototype.call = function(code, callback){
this.stack.push(callback);
this.frame.contentWindow.postMessage(code,"*");
}
embedded_svg_edit.prototype.getSvgString = function(callback){
this.call("svgCanvas.getSvgString()", callback)
}
embedded_svg_edit.prototype.setSvgString = function(svg){
this.call("svgCanvas.setSvgString('"+svg.replace(/'/g, "\\'")+"')");
}
*/
/*
Embedded SVG-edit API
General usage:
- Have an iframe somewhere pointing to a version of svg-edit > r1000
- Initialize the magic with:
var svgCanvas = new embedded_svg_edit(window.frames['svgedit']);
var svgCanvas = new EmbeddedSVGEdit(window.frames['svgedit']);
- Pass functions in this format:
svgCanvas.setSvgString("string")
- Or if a callback is needed:
@ -52,15 +20,33 @@ Everything is done with the same API as the real svg-edit,
and all documentation is unchanged. The only difference is
when handling returns, the callback notation is used instead.
var blah = new embedded_svg_edit(window.frames['svgedit']);
var blah = new EmbeddedSVGEdit(window.frames['svgedit']);
blah.clearSelection("woot","blah",1337,[1,2,3,4,5,"moo"],-42,{a: "tree",b:6, c: 9})(function(){console.log("GET DATA",arguments)})
*/
function embedded_svg_edit(frame){
//initialize communication
(function () {'use strict';
var cbid = 0;
function getCallbackSetter (d) {
return function(){
var t = this, // new callback
args = [].slice.call(arguments),
cbid = t.send(d, args, function(){}); // the callback (currently it's nothing, but will be set later)
return function(newcallback){
t.callbacks[cbid] = newcallback; // set callback
};
};
}
function EmbeddedSVGEdit(frame){
if (!(this instanceof EmbeddedSVGEdit)) { // Allow invocation without "new" keyword
return new EmbeddedSVGEdit(frame);
}
// initialize communication
this.frame = frame;
//this.stack = [] //callback stack
this.callbacks = {}; //successor to stack
this.callbacks = {}; // successor to stack
//List of functions extracted with this:
//Run in firebug on http://svg-edit.googlecode.com/svn/trunk/docs/files/svgcanvas-js.html
@ -72,7 +58,9 @@ function embedded_svg_edit(frame){
//Newer, well, it extracts things that aren't documented as well. All functions accessible through the normal thingy can now be accessed though the API
//var l=[];for(var i in svgCanvas){if(typeof svgCanvas[i] == "function"){l.push(i)}};
//run in svgedit itself
var functions = ["updateElementFromJson", "embedImage", "fixOperaXML", "clearSelection", "addToSelection",
var i,
t = this,
functions = ["updateElementFromJson", "embedImage", "fixOperaXML", "clearSelection", "addToSelection",
"removeFromSelection", "addNodeToSelection", "open", "save", "getSvgString", "setSvgString", "createLayer",
"deleteCurrentLayer", "getCurrentDrawing", "setCurrentLayer", "renameCurrentLayer", "setCurrentLayerPosition",
"setLayerVisibility", "moveSelectedToLayer", "clear", "clearPath", "getNodePoint", "clonePathNode", "deletePathNode",
@ -88,51 +76,41 @@ function embedded_svg_edit(frame){
"getNextRedoCommandText", "undo", "redo", "cloneSelectedElements", "alignSelectedElements", "getZoom", "getVersion",
"setIconSize", "setLang", "setCustomHandlers"];
//TODO: rewrite the following, it's pretty scary.
for(var i = 0; i < functions.length; i++){
this[functions[i]] = (function(d){
return function(){
var t = this; //new callback
for(var g = 0, args = []; g < arguments.length; g++){
args.push(arguments[g]);
}
var cbid = t.send(d, args, function(){}); //the callback (currently it's nothing, but will be set later
return function(newcallback){
t.callbacks[cbid] = newcallback; //set callback
};
};
})(functions[i]);
// TODO: rewrite the following, it's pretty scary.
for(i = 0; i < functions.length; i++){
this[functions[i]] = getCallbackSetter(functions[i]);
}
//TODO: use AddEvent for Trident browsers, currently they dont support SVG, but they do support onmessage
var t = this;
// Older IE may need a polyfill for addEventListener, but so it would for SVG
window.addEventListener("message", function(e){
if(e.data.substr(0,4) == "SVGe"){ //because svg-edit is too longish
var data = e.data.substr(4);
var cbid = data.substr(0, data.indexOf(";"));
if(t.callbacks[cbid]){
if(data.substr(cbid.length + 1,6) != "error:"){
t.callbacks[cbid](eval("("+data.substr(cbid.length+1)+")"));
}else{
t.callbacks[cbid](data, "error");
}
if (!e.data || typeof e.data !== "object" || e.data.namespace !== "svg-edit") {
return;
}
var data = e.data.result || e.data.error,
cbid = e.data.id;
if(t.callbacks[cbid]){
if(e.data.result){
t.callbacks[cbid](data);
}else{
t.callbacks[cbid](data, "error");
}
}
//this.stack.shift()[0](e.data,e.data.substr(0,5) == "ERROR"?'error':null) //replace with shift
}, false);
}
embedded_svg_edit.prototype.send = function(name, args, callback){
var cbid = Math.floor(Math.random()*31776352877+993577).toString();
//this.stack.push(callback);
this.callbacks[cbid] = callback;
for(var argstr = [], i = 0; i < args.length; i++){
argstr.push(JSON.stringify(args[i]));
}
EmbeddedSVGEdit.prototype.send = function(name, args, callback){
var t = this;
setTimeout(function(){//delay for the callback to be set in case its synchronous
t.frame.contentWindow.postMessage(cbid+";svgCanvas['"+name+"']("+argstr.join(",")+")","*");
cbid++;
this.callbacks[cbid] = callback;
setTimeout(function(){ // delay for the callback to be set in case its synchronous
// Todo: Handle non-JSON arguments and return values (undefined, nonfinite numbers, functions, and built-in objects like Date, RegExp), etc.?
t.frame.contentWindow.postMessage({namespace: "svgCanvas", id: cbid, name: name, args: args}, '*');
}, 0);
return cbid;
//this.stack.shift()("svgCanvas['"+name+"']("+argstr.join(",")+")")
};
window.embedded_svg_edit = EmbeddedSVGEdit; // Export old, deprecated API
window.EmbeddedSVGEdit = EmbeddedSVGEdit; // Follows common JS convention of CamelCase and, as enforced in JSLint, of initial caps for constructors
}());

View File

@ -64,7 +64,7 @@ svgEditor.addExtension("imagelib", function() {
// Receive postMessage data
var response = evt.data;
if(!response) {
if(!response || typeof response !== "string") { // Todo: Should namespace postMessage API for this extension and filter out here
// Do nothing
return;
}

View File

@ -4571,11 +4571,16 @@
// Callback handler for embedapi.js
try {
window.addEventListener('message', function(e) {
var cbid = parseInt(e.data.substr(0, e.data.indexOf(';')), 10);
if (!e.data || typeof e.data !== 'object' || e.data.namespace !== 'svgCanvas') {
return;
}
var cbid = e.data.id,
name = e.data.name,
args = e.data.args;
try {
e.source.postMessage('SVGe'+cbid+';'+JSON.stringify(eval(e.data)), '*');
e.source.postMessage({namespace: 'svg-edit', id: cbid, result: svgCanvas[name](args)}, '*');
} catch(err) {
e.source.postMessage('SVGe'+cbid+';error:'+err.message, '*');
e.source.postMessage({namespace: 'svg-edit', id: cbid, error: err.message}, '*');
}
}, false);
} catch(err) {