Fixed prototype pollution bug and only allow trusted origin (#17420)

author Rohan Sharma <i.am.lone.survivor@protonmail.com>

Tue, 1 Feb 2022 16:34:48 +0000 (22:04 +0530)

committer GitHub <noreply@github.com>

Tue, 1 Feb 2022 16:34:48 +0000 (17:34 +0100)
author Rohan Sharma <i.am.lone.survivor@protonmail.com>
Tue, 1 Feb 2022 16:34:48 +0000 (22:04 +0530)
committer GitHub <noreply@github.com>
Tue, 1 Feb 2022 16:34:48 +0000 (17:34 +0100)
diff --git a/public/embed.js b/public/embed.js

index dac50745376c2742b0fc1888180aedd01ecfc2de..d597fd33c70176e38fa0c5d0d86ca3451ec51487 100644 (file)
--- a/public/embed.js
+++ b/public/embed.js
@@ -15,7 +15,7 @@
      window.addEventListener('message', function(e) {
        var data = e.data || {};
  
-      if (data.type !== 'setHeight' || !iframes[data.id]) {
+      if (data.type !== 'setHeight' || !iframes[data.id] || window.location.origin !== e.origin || data.id.toString() === '__proto__') {
          return;
        }
author	Rohan Sharma <i.am.lone.survivor@protonmail.com>
	Tue, 1 Feb 2022 16:34:48 +0000 (22:04 +0530)
committer	GitHub <noreply@github.com>
	Tue, 1 Feb 2022 16:34:48 +0000 (17:34 +0100)