fix xss issue reported by @realansgar, regression from 3dade61

bfh · Jan 30, 2024 · 16f6633 · 16f6633
1 parent 5d131ce
commit 16f6633
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/plugin/notes/notes.esm.js b/plugin/notes/notes.esm.js
diff --git a/plugin/notes/notes.js b/plugin/notes/notes.js
diff --git a/plugin/notes/speaker-view.html b/plugin/notes/speaker-view.html
@@ -383,6 +383,13 @@ <h4 class="label">Notes</h4>
 
 				window.addEventListener( 'message', function( event ) {
 
+					// Validate the origin of all messages to avoid parsing messages
+					// that aren't meant for us. Ignore when running off file:// so
+					// that the speaker view continues to work without a web server.
+					if( window.location.origin !== event.origin && window.location.origin !== 'file://' ) {
+						return
+					}
+
 					clearTimeout( connectionTimeout );
 					connectionStatus.style.display = 'none';