From 314bcb2e7622909489d1332169a0ed3d1db162a4 Mon Sep 17 00:00:00 2001
From: Brett Zamir <brettz9@gmail.com>
Date: Sun, 2 Mar 2014 01:11:23 +0000
Subject: [PATCH] Critical security fix for embedded editor

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2723 eee81c28-f429-11dd-99c0-75d572ba1ddd
---
 editor/embedapi.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/editor/embedapi.js b/editor/embedapi.js
index bac6ece1..3efccc83 100644
--- a/editor/embedapi.js
+++ b/editor/embedapi.js
@@ -69,13 +69,15 @@ function addCallback (t, data) {
 }
 
 function messageListener (e) {
-  // We accept and post strings as opposed to objets for the sake of IE9 support; this
+  // We accept and post strings as opposed to objects for the sake of IE9 support; this
   //   will most likely be changed in the future
   if (typeof e.data !== 'string') {
     return;
   }
   var data = e.data && JSON.parse(e.data);
-  if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit') {
+  if (!data || typeof data !== 'object' || data.namespace !== 'svg-edit' ||
+      e.source !== this.frame.contentWindow // Important security check
+  ) {
     return;
   }
   addCallback(this, data);