_Bastler/partey_workadventure
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed potential injection by switching map container to PHP

Browse Source 
Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier
2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files
maps/tests/Metadata/setProperty.json
+22 -22
View File
@@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"setProperty.html"
},
"value":"setProperty.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}