Kraut.World/server
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed potential injection by switching map container to PHP

Browse source 
Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier 2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions
Download patch file Download diff file Expand all files Collapse all files

42
maps/tests/Metadata/playerMove.json
View file

@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"playerMove.html"
},
"value":"playerMove.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@ -105,7 +105,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@ -114,7 +114,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@ -123,7 +123,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@ -132,7 +132,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@ -141,7 +141,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@ -150,7 +150,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@ -159,7 +159,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@ -168,7 +168,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@ -177,7 +177,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@ -186,7 +186,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@ -195,7 +195,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@ -204,7 +204,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@ -213,7 +213,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@ -222,7 +222,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@ -233,7 +233,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@ -251,4 +251,4 @@
"type":"map",
"version":1.4,
"width":10
}
}