Răsfoiți Sursa

Allow only a whitelist of settings attrs to be overridden

Makes it more secure, since the enclosed converse object as access to
privileged data, we don't want people to inject code that could expose that.
JC Brand 12 ani în urmă
părinte
comite
75b61fda6f
1 a modificat fișierele cu 18 adăugiri și 2 ștergeri
  1. 18 2
      converse.js

+ 18 - 2
converse.js

@@ -47,14 +47,30 @@
         this.animate = true;
         this.auto_list_rooms = false;
         this.auto_subscribe = false;
-        this.bosh_service_url = ''; // The BOSH connection manager URL.
+        this.bosh_service_url = undefined; // The BOSH connection manager URL.
         this.debug = false;
         this.hide_muc_server = false;
         this.i18n = locales.en;
         this.prebind = false;
         this.show_controlbox_by_default = false;
         this.xhr_user_search = false;
-        _.extend(this, settings);
+
+        // Allow only the whitelisted settings attributes to be overwritten,
+        // nothing else.
+        whitelist = [
+            'animate',
+            'auto_list_rooms',
+            'auto_subscribe',
+            'bosh_service_url',
+            'fullname',
+            'debug',
+            'hide_muc_server',
+            'i18n',
+            'prebind',
+            'show_controlbox_by_default',
+            'xhr_user_search'
+        ];
+        _.extend(this, _.pick(settings, whitelist));
 
         var __ = $.proxy(function (str) {
             var t = this.i18n.translate(str);