Make WordPress Core

Changeset 35761


Ignore:
Timestamp:
12/03/2015 08:16:28 PM (9 years ago)
Author:
wonderboymusic
Message:

WP oEmbed: validate the secret send via postMessage in wp.receiveEmbedMessage. Also, compare window instances.

In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/js/wp-embed.js

    r35708 r35761  
    2323        }
    2424
     25        if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
     26            return;
     27        }
     28
    2529        var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
    2630            blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
     
    3337        for ( i = 0; i < iframes.length; i++ ) {
    3438            source = iframes[ i ];
     39
     40            if ( e.source !== source.contentWindow ) {
     41                continue;
     42            }
    3543
    3644            source.style.display = '';
Note: See TracChangeset for help on using the changeset viewer.