- Security fix (minor): For embedded API, avoid chance for arbitrary property

setting (though this was only for trusted origins anyways) - Security fix (minor): For embedded API example, copy params to iframe source without XSS risk (though params should already be XML-safe given `encodeURIComponent` and lack of a single quote attribute context) - Linting (LGTM): Flag origin-checked item as safe - Refactoring: Destructuring, ellipsis - Docs (JSDoc): Missing return value
2018-09-22 10:06:25 +08:00
parent dab1ff81af
commit fbffc86503
4 changed files with 27 additions and 12 deletions
--- a/editor/extensions/ext-xdomain-messaging.js
+++ b/editor/extensions/ext-xdomain-messaging.js
@@ -33,7 +33,9 @@ export default {
          id: cbid
        };
        try {
-          message.result = svgCanvas[name].apply(svgCanvas, args);
+          // Now that we know the origin is trusted, we perform otherwise
+          //   unsafe arbitrary canvas method execution
+          message.result = svgCanvas[name](...args); // lgtm [js/remote-property-injection]
        } catch (err) {
          message.error = err.message;
        }