1
0
mirror of https://github.com/moparisthebest/mail synced 2024-11-28 20:02:16 -05:00

[WO-03-008] Fix no Origin Checks for postMessage Communication (High)

This commit is contained in:
Tankred Hase 2015-04-23 17:09:10 +02:00
parent 4a681a73d2
commit 2aa166ac19

View File

@ -12,6 +12,11 @@ DOMPurify.addHook('afterSanitizeAttributes', function(node) {
window.onmessage = function(e) { window.onmessage = function(e) {
var html = ''; var html = '';
// ignore messages from other origins to prevent XSS
if (e.origin !== location.origin) {
return;
}
if (e.data.html) { if (e.data.html) {
// display html mail body // display html mail body
html = e.data.html; html = e.data.html;