feat: add security rules to IFrameBlock element

Hufe921 · Apr 18, 2024 · cdbd1ff · cdbd1ff
1 parent 224ead0
commit cdbd1ff
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/src/editor/core/draw/particle/block/modules/IFrameBlock.ts b/src/editor/core/draw/particle/block/modules/IFrameBlock.ts
@@ -1,21 +1,30 @@
 import { IRowElement } from '../../../../../interface/Row'
 
 export class IFrameBlock {
-  private static readonly sandbox = [
-    'allow-forms',
-    'allow-scripts',
-    'allow-same-origin',
-    'allow-popups'
-  ]
+  private static readonly sandbox = ['allow-scripts', 'allow-same-origin']
   private element: IRowElement
 
   constructor(element: IRowElement) {
     this.element = element
   }
 
+  private _defineIframeProperties(iframeWindow: Window) {
+    Object.defineProperties(iframeWindow, {
+      // 禁止获取parent避免安全漏洞
+      parent: {
+        get: () => null
+      },
+      // 用于区分上下文
+      __POWERED_BY_CANVAS_EDITOR__: {
+        get: () => true
+      }
+    })
+  }
+
   public render(blockItemContainer: HTMLDivElement) {
     const block = this.element.block!
     const iframe = document.createElement('iframe')
+    iframe.setAttribute('data-id', this.element.id!)
     iframe.sandbox.add(...IFrameBlock.sandbox)
     iframe.style.border = 'none'
     iframe.style.width = '100%'
@@ -26,5 +35,7 @@ export class IFrameBlock {
       iframe.srcdoc = block.iframeBlock.srcdoc
     }
     blockItemContainer.append(iframe)
+    // 重新定义iframe上属性
+    this._defineIframeProperties(iframe.contentWindow!)
   }
 }