diff options
| author | Rohan Sharma <i.am.lone.survivor@protonmail.com> | 2022-02-01 22:04:48 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-01 17:34:48 +0100 |
| commit | 4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09 (patch) | |
| tree | 631d2db616c30663037a77bf4dd7c90d0508a542 | |
| parent | 54581d43e75499530b188ba4964b4ac65d1c6980 (diff) | |
Fixed prototype pollution bug and only allow trusted origin (#17420)
| -rw-r--r-- | public/embed.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/public/embed.js b/public/embed.js index dac507453..d597fd33c 100644 --- a/public/embed.js +++ b/public/embed.js @@ -15,7 +15,7 @@ window.addEventListener('message', function(e) { var data = e.data || {}; - if (data.type !== 'setHeight' || !iframes[data.id]) { + if (data.type !== 'setHeight' || !iframes[data.id] || window.location.origin !== e.origin || data.id.toString() === '__proto__') { return; } |