sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

WP oEmbed: validate the secret send via postMessage in wp.receiveEmbedMessage. Also, compare window instances.

Browse Source 
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.


git-svn-id: https://develop.svn.wordpress.org/trunk@35761 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Scott Taylor 2015-12-03 20:16:28 +00:00
parent 3e85312bbf
commit dedff8fd0e
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wp-includes/js/wp-embed.js
View File

@ -22,6 +22,10 @@
return; return;
} }
if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
return;
}
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
i, source, height, sourceURL, targetURL; i, source, height, sourceURL, targetURL;
@ -33,6 +37,10 @@
for ( i = 0; i < iframes.length; i++ ) { for ( i = 0; i < iframes.length; i++ ) {
source = iframes[ i ]; source = iframes[ i ];
if ( e.source !== source.contentWindow ) {
continue;
}
source.style.display = ''; source.style.display = '';
/* Resize the iframe on request. */ /* Resize the iframe on request. */