serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

rfc/xr: be more careful about which urls we load in iframes

Browse source 
anything that looks like it specifies a different host should not be loaded.
www.xmox.nl also has a CSP policy that should prevent resources from other
domains from being loaded.
This commit is contained in:
Mechiel Lukkien 2023-11-14 14:09:35 +01:00
parent 51e314f65a
commit 5b62013f27
No known key found for this signature in database
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
rfc/xr.go
View file

@ -364,18 +364,28 @@ window.addEventListener('hashchange', function() {
}) })
function hashlink2src(s) { function hashlink2src(s) {
const t = s.split(':') const t = s.split(':')
if (t.length > 2 || t[0].startsWith('/') || t[0].includes('..')) {
return ''
}
let h = t[0]+'.html' let h = t[0]+'.html'
if (t.length === 2) { if (t.length === 2) {
h += '#L'+t[1] h += '#L'+t[1]
} }
h = './'+h
console.log('hashlink', s, h) console.log('hashlink', s, h)
return h return h
} }
function updateIframes() { function updateIframes() {
const h = location.hash.length > 1 ? location.hash.substring(1) : 'code,rfc' const h = location.hash.length > 1 ? location.hash.substring(1) : 'code,rfc'
const t = h.split(',') const t = h.split(',')
codeiframe.src = hashlink2src(t[0]) const codesrc = hashlink2src(t[0])
rfciframe.src = hashlink2src(t[1]) const rfcsrc = hashlink2src(t[1])
codeiframe.src = codesrc
rfciframe.src = rfcsrc
if (codesrc) {
codefile.innerText = t[0]
rfcfile.innerText = t[1]
}
} }
window.addEventListener('load', function() { window.addEventListener('load', function() {
console.log('document load') console.log('document load')