3 年前 · 3dade61176
--- a/dist/reveal.esm.js
+++ b/dist/reveal.esm.js
--- a/dist/reveal.esm.js.map
+++ b/dist/reveal.esm.js.map
--- a/dist/reveal.js
+++ b/dist/reveal.js
--- a/dist/reveal.js.map
+++ b/dist/reveal.js.map
--- a/js/utils/constants.js
+++ b/js/utils/constants.js
@@ -4,7 +4,7 @@ export const HORIZONTAL_SLIDES_SELECTOR = '.slides>section';
 
				 export const VERTICAL_SLIDES_SELECTOR = '.slides>section.present>section';
			
 
				 
			
 
				 // Methods that may not be invoked via the postMessage API
			
 
				-export const POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener/;
			
 
				+export const POST_MESSAGE_METHOD_BLACKLIST = /registerPlugin|registerKeyboardShortcut|addKeyBinding|addEventListener|showPreview/;
			
 
				 
			
 
				 // Regex for retrieving the fragment style from a class attribute
			
 
				 export const FRAGMENT_STYLE_REGEX = /fade-(down|up|right|left|out|in-then-out|in-then-semi-out)|semi-fade-out|current-visible|shrink|grow/;
			
--- a/plugin/notes/notes.esm.js
+++ b/plugin/notes/notes.esm.js
--- a/plugin/notes/notes.js
+++ b/plugin/notes/notes.js
--- a/plugin/notes/plugin.js
+++ b/plugin/notes/plugin.js
@@ -151,15 +151,36 @@ const Plugin = () => {
 
				 
			
 
				 	}
			
 
				 
			
 
				-	function onPostMessage( event ) {
			
 
				+	/**
			
 
				+	 * Check if the given event is from the same origin as the
			
 
				+	 * current window.
			
 
				+	 */
			
 
				+	function isSameOriginEvent( event ) {
			
 
				 
			
 
				-		let data = JSON.parse( event.data );
			
 
				-		if( data && data.namespace === 'reveal-notes' && data.type === 'connected' ) {
			
 
				-			clearInterval( connectInterval );
			
 
				-			onConnected();
			
 
				+		try {
			
 
				+			return window.location.origin === event.source.location.origin;
			
 
				 		}
			
 
				-		else if( data && data.namespace === 'reveal-notes' && data.type === 'call' ) {
			
 
				-			callRevealApi( data.methodName, data.arguments, data.callId );
			
 
				+		catch ( error ) {
			
 
				+			return false;
			
 
				+		}
			
 
				+
			
 
				+	}
			
 
				+
			
 
				+	function onPostMessage( event ) {
			
 
				+
			
 
				+		// Only allow same-origin messages
			
 
				+		// (added 12/5/22 as a XSS safeguard)
			
 
				+		if( isSameOriginEvent( event ) ) {
			
 
				+
			
 
				+			let data = JSON.parse( event.data );
			
 
				+			if( data && data.namespace === 'reveal-notes' && data.type === 'connected' ) {
			
 
				+				clearInterval( connectInterval );
			
 
				+				onConnected();
			
 
				+			}
			
 
				+			else if( data && data.namespace === 'reveal-notes' && data.type === 'call' ) {
			
 
				+				callRevealApi( data.methodName, data.arguments, data.callId );
			
 
				+			}
			
 
				+
			
 
				 		}
			
 
				 
			
 
				 	}
			
--- a/plugin/notes/speaker-view.html
+++ b/plugin/notes/speaker-view.html
@@ -380,14 +380,8 @@
 
				 				var connectionTimeout = setTimeout( function() {
			
 
				 					connectionStatus.innerHTML = 'Error connecting to main window.<br>Please try closing and reopening the speaker view.';
			
 
				 				}, 5000 );
			
 
				-;
			
 
				-				window.addEventListener( 'message', function( event ) {
			
 
				 
			
 
				-					// Validate the origin of all messages to avoid parsing messages
			
 
				-					// that aren't meant for us
			
 
				-					if( window.location.origin !== event.origin ) {
			
 
				-						return;
			
 
				-					}
			
 
				+				window.addEventListener( 'message', function( event ) {
			
 
				 
			
 
				 					clearTimeout( connectionTimeout );
			
 
				 					connectionStatus.style.display = 'none';