From dedff8fd0e199332dcabea5597e1f0e4556853e1 Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Thu, 3 Dec 2015 20:16:28 +0000 Subject: [PATCH] WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances. In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped. In theory, this could lead to some broken embeds. Props mdawaffe. Fixes #34831. git-svn-id: https://develop.svn.wordpress.org/trunk@35761 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/js/wp-embed.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/wp-includes/js/wp-embed.js b/src/wp-includes/js/wp-embed.js index 50471c714b..985f0b801d 100644 --- a/src/wp-includes/js/wp-embed.js +++ b/src/wp-includes/js/wp-embed.js @@ -22,6 +22,10 @@ return; } + if ( /[^a-zA-Z0-9]/.test( data.secret ) ) { + return; + } + var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), i, source, height, sourceURL, targetURL; @@ -33,6 +37,10 @@ for ( i = 0; i < iframes.length; i++ ) { source = iframes[ i ]; + if ( e.source !== source.contentWindow ) { + continue; + } + source.style.display = ''; /* Resize the iframe on request. */