WP oEmbed: validate the secret send via postMessage in wp.receiveEmbedMessage. Also, compare window instances.

In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped. In theory, this could lead to some broken embeds. Props mdawaffe. Fixes #34831. git-svn-id: https://develop.svn.wordpress.org/trunk@35761 602fd350-edb4-49c9-b593-d223f7449a82
2015-12-03 20:16:28 +00:00 · 2015-12-03 20:16:28 +00:00 · dedff8fd0e
commit dedff8fd0e
parent 3e85312bbf
1 changed files with 8 additions and 0 deletions
--- a/src/wp-includes/js/wp-embed.js
+++ b/src/wp-includes/js/wp-embed.js
@ -22,6 +22,10 @@
 			return;
 		}

+		if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
+			return;
+		}
+
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
 			i, source, height, sourceURL, targetURL;
@ -33,6 +37,10 @@
 		for ( i = 0; i < iframes.length; i++ ) {
 			source = iframes[ i ];

+			if ( e.source !== source.contentWindow ) {
+				continue;
+			}
+
 			source.style.display = '';

 			/* Resize the iframe on request. */