Skip to content

Commit

Permalink
blacklist some method from the postMessage API to prevent XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
hakimel committed Jan 31, 2020
1 parent d213fac commit b6cc6b4
Showing 1 changed file with 17 additions and 4 deletions.
21 changes: 17 additions & 4 deletions js/reveal.js
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,12 @@
HORIZONTAL_SLIDES_SELECTOR = '.slides>section',
VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section',
HOME_SLIDE_SELECTOR = '.slides>section:first-of-type',

UA = navigator.userAgent,

// Methods that may not be invoked via the postMessage API
POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/,

// Configuration defaults, can be overridden at initialization time
config = {

Expand Down Expand Up @@ -1274,11 +1278,20 @@

// Check if the requested method can be found
if( data.method && typeof Reveal[data.method] === 'function' ) {
var result = Reveal[data.method].apply( Reveal, data.args );

// Dispatch a postMessage event with the returned value from
// our method invocation for getter functions
dispatchPostMessage( 'callback', { method: data.method, result: result } );
if( POST_MESSAGE_METHOD_BLACKLIST.test( data.method ) === false ) {

var result = Reveal[data.method].apply( Reveal, data.args );

// Dispatch a postMessage event with the returned value from
// our method invocation for getter functions
dispatchPostMessage( 'callback', { method: data.method, result: result } );

}
else {
console.warn( 'reveal.js: "'+ data.method +'" is is blacklisted from the postMessage API' );
}

}
}
}, false );
Expand Down

0 comments on commit b6cc6b4

Please sign in to comment.