Merge pull request #847 from jitsi/cs-custom-scriptUrl
Skips some url parameters that can inject scripts.
This commit is contained in:
commit
9a0d8616ed
|
@ -36,6 +36,12 @@ var URLProcessor = {
|
||||||
if (key.indexOf("config.") === 0) {
|
if (key.indexOf("config.") === 0) {
|
||||||
confObj = configJSON.config;
|
confObj = configJSON.config;
|
||||||
confKey = key.substr("config.".length);
|
confKey = key.substr("config.".length);
|
||||||
|
|
||||||
|
// prevent passing some parameters which can inject scripts
|
||||||
|
if (confKey === 'analyticsScriptUrl'
|
||||||
|
|| confKey === 'callStatsCustomScriptUrl')
|
||||||
|
continue;
|
||||||
|
|
||||||
} else if (key.indexOf("interfaceConfig.") === 0) {
|
} else if (key.indexOf("interfaceConfig.") === 0) {
|
||||||
confObj = configJSON.interfaceConfig;
|
confObj = configJSON.interfaceConfig;
|
||||||
confKey = key.substr("interfaceConfig.".length);
|
confKey = key.substr("interfaceConfig.".length);
|
||||||
|
|
Loading…
Reference in New Issue