Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: sanitize params for 'context-menu' event sent over IPC for webview
  • Loading branch information
miniak committed Oct 4, 2021
1 parent 3b2c46d commit 7fee455
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 19 deletions.
23 changes: 6 additions & 17 deletions lib/browser/guest-view-manager.ts
Expand Up @@ -21,13 +21,6 @@ const supportedWebViewEvents = Object.keys(webViewEvents);
const guestInstances = new Map<number, GuestInstance>();
const embedderElementsMap = new Map<string, number>();

function sanitizeOptionsForGuest (options: Record<string, any>) {
const ret = { ...options };
// WebContents values can't be sent over IPC.
delete ret.webContents;
return ret;
}

function makeWebPreferences (embedder: Electron.WebContents, params: Record<string, any>) {
// parse the 'webpreferences' attribute string, if set
// this uses the same parsing rules as window.open uses for its features
Expand Down Expand Up @@ -138,7 +131,12 @@ const createGuest = function (embedder: Electron.WebContents, embedderFrameId: n
const makeProps = (eventKey: string, args: any[]) => {
const props: Record<string, any> = {};
webViewEvents[eventKey].forEach((prop, index) => {
props[prop] = args[index];
if (Array.isArray(prop)) {
const [name, sanitizer] = prop;
props[name] = sanitizer(args[index]);
} else {
props[prop as string] = args[index];
}
});
return props;
};
Expand All @@ -150,15 +148,6 @@ const createGuest = function (embedder: Electron.WebContents, embedderFrameId: n
});
}

guest.on('new-window', function (event, url, frameName, disposition, options) {
sendToEmbedder(IPC_MESSAGES.GUEST_VIEW_INTERNAL_DISPATCH_EVENT, 'new-window', {
url,
frameName,
disposition,
options: sanitizeOptionsForGuest(options)
});
});

// Dispatch guest's IPC messages to embedder.
guest.on('ipc-message-host' as any, function (event: Electron.IpcMainEvent, channel: string, args: any[]) {
sendToEmbedder(IPC_MESSAGES.GUEST_VIEW_INTERNAL_DISPATCH_EVENT, 'ipc-message', {
Expand Down
17 changes: 15 additions & 2 deletions lib/common/web-view-events.ts
@@ -1,4 +1,16 @@
export const webViewEvents: Record<string, readonly string[]> = {
type Sanitizer = (obj: Record<string, any>) => Record<string, any>;

function makeSanitizer (names: string[]): Sanitizer {
return (obj: Record<string, any>) => {
const ret = { ...obj };
for (const name of names) {
delete ret[name];
}
return ret;
};
}

export const webViewEvents: Record<string, readonly (string | readonly [string, Sanitizer])[]> = {
'load-commit': ['url', 'isMainFrame'],
'did-attach': [],
'did-finish-load': [],
Expand All @@ -8,7 +20,8 @@ export const webViewEvents: Record<string, readonly string[]> = {
'did-stop-loading': [],
'dom-ready': [],
'console-message': ['level', 'message', 'line', 'sourceId'],
'context-menu': ['params'],
'context-menu': [['params', makeSanitizer(['frame'])]],
'new-window': ['url', 'frameName', 'disposition', ['options', makeSanitizer(['webContents'])]],
'devtools-opened': [],
'devtools-closed': [],
'devtools-focused': [],
Expand Down

0 comments on commit 7fee455

Please sign in to comment.