blacklist some method from the postMessage API to prevent XSS

edit
Hakim El Hattab 2020-01-31 10:59:08 +01:00
parent d213fac34c
commit b6cc6b4916
1 changed files with 17 additions and 4 deletions

View File

@ -32,8 +32,12 @@
HORIZONTAL_SLIDES_SELECTOR = '.slides>section', HORIZONTAL_SLIDES_SELECTOR = '.slides>section',
VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section', VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section',
HOME_SLIDE_SELECTOR = '.slides>section:first-of-type', HOME_SLIDE_SELECTOR = '.slides>section:first-of-type',
UA = navigator.userAgent, UA = navigator.userAgent,
// Methods that may not be invoked via the postMessage API
POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/,
// Configuration defaults, can be overridden at initialization time // Configuration defaults, can be overridden at initialization time
config = { config = {
@ -1274,11 +1278,20 @@
// Check if the requested method can be found // Check if the requested method can be found
if( data.method && typeof Reveal[data.method] === 'function' ) { if( data.method && typeof Reveal[data.method] === 'function' ) {
if( POST_MESSAGE_METHOD_BLACKLIST.test( data.method ) === false ) {
var result = Reveal[data.method].apply( Reveal, data.args ); var result = Reveal[data.method].apply( Reveal, data.args );
// Dispatch a postMessage event with the returned value from // Dispatch a postMessage event with the returned value from
// our method invocation for getter functions // our method invocation for getter functions
dispatchPostMessage( 'callback', { method: data.method, result: result } ); dispatchPostMessage( 'callback', { method: data.method, result: result } );
}
else {
console.warn( 'reveal.js: "'+ data.method +'" is is blacklisted from the postMessage API' );
}
} }
} }
}, false ); }, false );