Critical security fix preventing cross-domain extensions or extension path via URL

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2648 eee81c28-f429-11dd-99c0-75d572ba1ddd
2014-01-31 07:13:47 +00:00 · 2014-01-31 07:13:47 +00:00 · 712c52ed54
parent 881d82859b
commit 712c52ed54
1 changed files with 7 additions and 0 deletions
--- a/editor/svg-editor.js
+++ b/editor/svg-editor.js
@ -235,12 +235,19 @@
 					}

 					if (urldata.extensions) {
+            if (urldata.extensions.indexOf(':')) { // For security reasons, disallow cross-domain extensions via URL
+              urldata.extensions = '';
+            }
 						urldata.extensions = urldata.extensions.split(',');
 					}

 					if (urldata.bkgd_color) {
 						urldata.bkgd_color = '#' + urldata.bkgd_color;
 					}
+          
+          if (urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL
+            delete urldata.extPath;
+          }

 					svgEditor.setConfig(urldata);