1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-24 03:42:32 +01:00

Added origin verification to postMessage usage.

Closes #2769
This commit is contained in:
Dan Brown 2021-05-25 00:05:20 +01:00
parent df0e03cd07
commit 600f8cd142
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9

View File

@ -1,5 +1,5 @@
let iFrame = null;
let lastApprovedOrigin;
let onInit, onSave;
/**
@ -19,15 +19,22 @@ function show(drawioUrl, onInitCallback, onSaveCallback) {
iFrame.setAttribute('class', 'fullscreen');
iFrame.style.backgroundColor = '#FFFFFF';
document.body.appendChild(iFrame);
lastApprovedOrigin = (new URL(drawioUrl)).origin;
}
function close() {
drawEventClose();
}
/**
* Receive and handle a message event from the draw.io window.
* @param {MessageEvent} event
*/
function drawReceive(event) {
if (!event.data || event.data.length < 1) return;
let message = JSON.parse(event.data);
if (event.origin !== lastApprovedOrigin) return;
const message = JSON.parse(event.data);
if (message.event === 'init') {
drawEventInit();
} else if (message.event === 'exit') {
@ -62,7 +69,7 @@ function drawEventClose() {
}
function drawPostMessage(data) {
iFrame.contentWindow.postMessage(JSON.stringify(data), '*');
iFrame.contentWindow.postMessage(JSON.stringify(data), lastApprovedOrigin);
}
async function upload(imageData, pageUploadedToId) {