blacklist some method from the postMessage API to prevent XSS
parent
d213fac34c
commit
b6cc6b4916
21
js/reveal.js
21
js/reveal.js
|
@ -32,8 +32,12 @@
|
||||||
HORIZONTAL_SLIDES_SELECTOR = '.slides>section',
|
HORIZONTAL_SLIDES_SELECTOR = '.slides>section',
|
||||||
VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section',
|
VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section',
|
||||||
HOME_SLIDE_SELECTOR = '.slides>section:first-of-type',
|
HOME_SLIDE_SELECTOR = '.slides>section:first-of-type',
|
||||||
|
|
||||||
UA = navigator.userAgent,
|
UA = navigator.userAgent,
|
||||||
|
|
||||||
|
// Methods that may not be invoked via the postMessage API
|
||||||
|
POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/,
|
||||||
|
|
||||||
// Configuration defaults, can be overridden at initialization time
|
// Configuration defaults, can be overridden at initialization time
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
|
@ -1274,11 +1278,20 @@
|
||||||
|
|
||||||
// Check if the requested method can be found
|
// Check if the requested method can be found
|
||||||
if( data.method && typeof Reveal[data.method] === 'function' ) {
|
if( data.method && typeof Reveal[data.method] === 'function' ) {
|
||||||
var result = Reveal[data.method].apply( Reveal, data.args );
|
|
||||||
|
|
||||||
// Dispatch a postMessage event with the returned value from
|
if( POST_MESSAGE_METHOD_BLACKLIST.test( data.method ) === false ) {
|
||||||
// our method invocation for getter functions
|
|
||||||
dispatchPostMessage( 'callback', { method: data.method, result: result } );
|
var result = Reveal[data.method].apply( Reveal, data.args );
|
||||||
|
|
||||||
|
// Dispatch a postMessage event with the returned value from
|
||||||
|
// our method invocation for getter functions
|
||||||
|
dispatchPostMessage( 'callback', { method: data.method, result: result } );
|
||||||
|
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.warn( 'reveal.js: "'+ data.method +'" is is blacklisted from the postMessage API' );
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}, false );
|
}, false );
|
||||||
|
|
Loading…
Reference in New Issue