Brett Zamir 7295eece09 Potentially breaking change: Prevent setting of extPath via URL and prevent setting of cross-domain or cross-folder extensions via URL, i.e., if the extensions string possesses the character ":", "/", or, to be extra safe, "\", (issue #4 of mailing list post "Agenda for resolving security issues"). extPath and extensions can still be meaningfully set freely via setConfig calls, e.g., "svgCanvas.setConfig({extPath: ..., extensions: ...});" if made before Editor.init() is called in svg-editor.js (which is called on a jQuery ready (i.e., DOMContentLoaded) event). To avoid modifying svg-editor.html, one could build an extension which loaded its own scripts as done by the simple extFunc() function in svg-editor.js, but this would occur a little later (Should we export extFunc() for this usage?). ...

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2671 eee81c28-f429-11dd-99c0-75d572ba1ddd

2014-02-10 05:33:05 +00:00

145 KiB

Raw Blame History

View Raw