Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document. While this was done in a safe way (the map container does not use cookies), it is not a best practice to load a script originating from document.referrer. This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
2021-11-29 19:05:13 +01:00 · 2021-11-29 19:05:13 +01:00 · 41fd848fa0
commit 41fd848fa0
parent 233c3d1abe
27 changed files with 167 additions and 204 deletions
--- a/maps/tests/iframe.html
+++ b/maps/tests/iframe.html
@ -1,30 +0,0 @@
-<!doctype html>
-<html lang="en">
-    <head>
-        <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
-        </script>
-    </head>
-    <body>
-        <button id="sendchat">Send chat message</button>
-        <script>
-            document.getElementById('sendchat').onclick = () => {
-                WA.chat.sendChatMessage('Hello world!', 'Mr ROBOT');
-            }
-        </script>
-        <div id="chatSent"></div>
-        <script>
-            window.addEventListener('load', () => {
-                WA.chat.onChatMessage((message => {
-                    const chatDiv = document.createElement('p');
-                    chatDiv.innerText = message;
-                    document.getElementById('chatSent').append(chatDiv);
-                }));
-            })
-        </script>
-    </body>
-</html>