diff --git a/dist/extensions/ext-xdomain-messaging.js b/dist/extensions/ext-xdomain-messaging.js index 8c167ccb..37647251 100644 --- a/dist/extensions/ext-xdomain-messaging.js +++ b/dist/extensions/ext-xdomain-messaging.js @@ -7,6 +7,16 @@ var svgEditorExtension_xdomain_messaging = (function () { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; + var toConsumableArray = function (arr) { + if (Array.isArray(arr)) { + for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) arr2[i] = arr[i]; + + return arr2; + } else { + return Array.from(arr); + } + }; + /** * Should not be needed for same domain control (just call via child frame), * but an API common for cross-domain and same domain use can be found @@ -45,7 +55,9 @@ var svgEditorExtension_xdomain_messaging = (function () { id: cbid }; try { - message.result = svgCanvas[name].apply(svgCanvas, args); + // Now that we know the origin is trusted, we perform otherwise + // unsafe arbitrary canvas method execution + message.result = svgCanvas[name].apply(svgCanvas, toConsumableArray(args)); // lgtm [js/remote-property-injection] } catch (err) { message.error = err.message; } diff --git a/editor/embedapi-dom.js b/editor/embedapi-dom.js index 8a0a7867..ff599f66 100644 --- a/editor/embedapi-dom.js +++ b/editor/embedapi-dom.js @@ -68,12 +68,12 @@ $('#exportPDF').click(exportPDF); const frameBase = 'https://raw.githack.com/SVG-Edit/svgedit/master'; // const frameBase = 'http://localhost:8001'; const framePath = '/editor/xdomain-svg-editor-es.html?extensions=ext-xdomain-messaging.js'; -const iframe = $(`'); +iframe[0].src = frameBase + framePath + (location.href.includes('?') ? location.href.replace(/\?(.*)$/, '&$1') - : '') + // Append arguments to this file onto the iframe - '" width="900px" height="600px" id="svgedit"">' -); + : ''); // Append arguments to this file onto the iframe + iframe[0].addEventListener('load', function () { svgCanvas = new EmbeddedSVGEdit(frame, [new URL(frameBase).origin]); // Hide main button, as we will be controlling new, load, save, etc. from the host document diff --git a/editor/embedapi.js b/editor/embedapi.js index 625479b0..925893d0 100644 --- a/editor/embedapi.js +++ b/editor/embedapi.js @@ -44,14 +44,14 @@ function getCallbackSetter (funcName) { * @param {JSON} data * @returns {undefined} */ -function addCallback (t, data) { - const result = data.result || data.error, - cbid = data.id; - if (t.callbacks[cbid]) { - if (data.result) { +function addCallback (t, {result, error, id: cbid}) { + if (typeof cbid === 'number' && t.callbacks[cbid]) { + // These should be safe both because we check `cbid` is numeric and + // because the calls are from trusted origins + if (result) { t.callbacks[cbid](result); } else { - t.callbacks[cbid](result, 'error'); + t.callbacks[cbid](error, 'error'); } } } @@ -340,6 +340,7 @@ class EmbeddedSVGEdit { * @param {string} name * @param {ArgumentsArray} args Signature dependent on function * @param {module:EmbeddedSVGEdit.GenericCallback} callback + * @returns {Integer} */ send (name, args, callback) { const t = this; diff --git a/editor/extensions/ext-xdomain-messaging.js b/editor/extensions/ext-xdomain-messaging.js index dbb482a7..5b384ac2 100644 --- a/editor/extensions/ext-xdomain-messaging.js +++ b/editor/extensions/ext-xdomain-messaging.js @@ -33,7 +33,9 @@ export default { id: cbid }; try { - message.result = svgCanvas[name].apply(svgCanvas, args); + // Now that we know the origin is trusted, we perform otherwise + // unsafe arbitrary canvas method execution + message.result = svgCanvas[name](...args); // lgtm [js/remote-property-injection] } catch (err) { message.error = err.message; }