Critical security fix preventing cross-domain extensions or extension path via URL
git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2648 eee81c28-f429-11dd-99c0-75d572ba1dddmaster
parent
881d82859b
commit
712c52ed54
|
@ -235,12 +235,19 @@
|
|||
}
|
||||
|
||||
if (urldata.extensions) {
|
||||
if (urldata.extensions.indexOf(':')) { // For security reasons, disallow cross-domain extensions via URL
|
||||
urldata.extensions = '';
|
||||
}
|
||||
urldata.extensions = urldata.extensions.split(',');
|
||||
}
|
||||
|
||||
if (urldata.bkgd_color) {
|
||||
urldata.bkgd_color = '#' + urldata.bkgd_color;
|
||||
}
|
||||
|
||||
if (urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL
|
||||
delete urldata.extPath;
|
||||
}
|
||||
|
||||
svgEditor.setConfig(urldata);
|
||||
|
||||
|
|
Loading…
Reference in New Issue