Verify the request id parameter

2025-04-26 10:08:06 +02:00 · 2012-08-17 16:56:47 -05:00 · 2012-08-17 16:56:47 -05:00 · 4f20f5f1bb
commit 4f20f5f1bb
parent 52d229761a
1 changed files with 10 additions and 1 deletions
--- a/src/fonts.js
+++ b/src/fonts.js
@ -501,6 +501,16 @@ var FontLoader = {
      // The postMessage() hackery was added to work around chrome bug
      // 82402.

+      var requestId = request.id;
+      // Validate the requestId parameter -- the value used to construct HTML.
+      if (!/^[\w\-]+$/.test(requestId)) {
+        error('Invalid request id: ' + requestId);
+
+        // Normally the error-function throws. But if a malicious code
+        // intercepts the function call then the return is needed.
+        return;
+      }
+
      var names = [];
      for (var i = 0, ii = fonts.length; i < ii; i++)
        names.push(fonts[i].loadedName);
@ -526,7 +536,6 @@ var FontLoader = {
      div.innerHTML = html;
      document.body.appendChild(div);

-      var requestId = request.id;
      window.addEventListener(
        'message',
        function fontLoaderMessage(e) {