github/svgedit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Properly prevent "extensions" in URL

Browse Source 
git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2650 eee81c28-f429-11dd-99c0-75d572ba1ddd
This commit is contained in:
Brett Zamir
2014-01-31 08:23:27 +00:00
parent 712c52ed54
commit 4d42195d63
1 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
editor/svg-editor.js
View File

@@ -235,19 +235,17 @@
} }
if (urldata.extensions) { if (urldata.extensions) {
if (urldata.extensions.indexOf(':')) { // For security reasons, disallow cross-domain extensions via URL // For security reasons, disallow cross-domain extensions via URL
urldata.extensions = ''; urldata.extensions = (urldata.extensions.indexOf(':') > -1) ? '' : urldata.extensions.split(',');
}
urldata.extensions = urldata.extensions.split(',');
} }
if (urldata.bkgd_color) { if (urldata.bkgd_color) {
urldata.bkgd_color = '#' + urldata.bkgd_color; urldata.bkgd_color = '#' + urldata.bkgd_color;
} }
if (urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL if (urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL
delete urldata.extPath; delete urldata.extPath;
} }
svgEditor.setConfig(urldata); svgEditor.setConfig(urldata);