Changeset 8611 for tags/release-0.4.2/src/io/xip_server.html

Timestamp:

05/14/07 16:03:16 (20 months ago)

Author:

jburke

Message:

Fixes #3011.

Files:

• tags/release-0.4.2/src/io/xip_server.html (modified) (4 diffs)

tags/release-0.4.2/src/io/xip_server.html

@@ -20 +20 @@
         ALL OF YOUR XHR-ENABLED SERVICES ON YOUR SITE. 
         
-        In order for this file to work, you should define a function with the following signature:
+        In order for this file to work, you need to uncomment the script element,
+        and you should define a function with the following signature:
         
         function isAllowedRequest(request){
@@ -46 +47 @@
         See xip_client.html for more info on the xip fragment identifier protocol.      
         -->
-        <script type="text/javascript">
-        // <!--
-        djConfig = {
-                parseWidgets: false,
-                baseScriptUri: "./"
-        }
-        // -->
-        </script>
-        <script type="text/javascript">
+        
+        <!-- Security protection: uncomment the script tag to enable. -->
+        <!-- script type="text/javascript" -->
         // <!--
                 //Core XHR handling taken from Dojo IO code.
@@ -347 +342 @@
                 xipStateId = config.id;
                 xipClientUrl = config.client;
+                
+                //Make sure we don't have a javascript: url, just for good measure.
+                if(xipClientUrl.split(":")[0].match(/javascript/i)){
+                        throw "Invalid client URL";
+                }
+                if(!xipStateId.match(/^XhrIframeProxy[0-9]+$/)){
+                        throw "Invalid state ID";
+                }
+
                 xipUseFrameRecursion = config["fr"];
 
@@ -353 +357 @@
                 if(xipUseFrameRecursion == "true"){
                         var serverUrl = window.location.href.split("#")[0];
-                        document.getElementById("iframeHolder").innerHTML = '<iframe src="'
-                                + makeClientUrl("init", 'id=' + xipStateId + '&server=' + encodeURIComponent(serverUrl)
-                                + '&fr=endpoint') + '" name="' + xipStateId + '_clientEndPoint"></iframe>';
+                        document.getElementById("iframeHolder").innerHTML = '<iframe name="'
+                                + xipStateId + '_clientEndPoint'
+                                + '" src="javascript:false">'
+                                + '</iframe>';
+                        var iframeNode = document.getElementsByTagName("iframe")[0];
+                        iframeNode.src = makeClientUrl("init", 'id=' + xipStateId + '&server='
+                                + encodeURIComponent(serverUrl) + '&fr=endpoint');
                 }else{
                         setClientUrl("loaded");