Commit b6cc6b49 authored by Hakim El Hattab's avatar Hakim El Hattab
Browse files

blacklist some method from the postMessage API to prevent XSS

parent d213fac3
......@@ -32,8 +32,12 @@
HORIZONTAL_SLIDES_SELECTOR = '.slides>section',
VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section',
HOME_SLIDE_SELECTOR = '.slides>section:first-of-type',
UA = navigator.userAgent,
// Methods that may not be invoked via the postMessage API
POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/,
// Configuration defaults, can be overridden at initialization time
config = {
......@@ -1274,11 +1278,20 @@
// Check if the requested method can be found
if( data.method && typeof Reveal[data.method] === 'function' ) {
var result = Reveal[data.method].apply( Reveal, data.args );
// Dispatch a postMessage event with the returned value from
// our method invocation for getter functions
dispatchPostMessage( 'callback', { method: data.method, result: result } );
if( POST_MESSAGE_METHOD_BLACKLIST.test( data.method ) === false ) {
var result = Reveal[data.method].apply( Reveal, data.args );
// Dispatch a postMessage event with the returned value from
// our method invocation for getter functions
dispatchPostMessage( 'callback', { method: data.method, result: result } );
}
else {
console.warn( 'reveal.js: "'+ data.method +'" is is blacklisted from the postMessage API' );
}
}
}
}, false );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment