Kraut.World/server
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed potential injection by switching map container to PHP

Browse source 
Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier 2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions
Download patch file Download diff file Expand all files Collapse all files

44
maps/tests/Metadata/setProperty.json
View file

@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"setProperty.html"
},
"value":"setProperty.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}