Merge pull request #847 from jitsi/cs-custom-scriptUrl

Skips some url parameters that can inject scripts.
2016-09-08 18:09:04 -05:00 · 2016-09-08 18:09:04 -05:00 · 9a0d8616ed
parent 62c4ff719e d65479abc9
commit 9a0d8616ed
1 changed files with 6 additions and 0 deletions
--- a/modules/config/URLProcessor.js
+++ b/modules/config/URLProcessor.js
@ -36,6 +36,12 @@ var URLProcessor = {
            if (key.indexOf("config.") === 0) {
                confObj = configJSON.config;
                confKey = key.substr("config.".length);
+
+                // prevent passing some parameters which can inject scripts
+                if (confKey === 'analyticsScriptUrl'
+                    || confKey === 'callStatsCustomScriptUrl')
+                    continue;
+
            } else if (key.indexOf("interfaceConfig.") === 0) {
                confObj = configJSON.interfaceConfig;
                confKey = key.substr("interfaceConfig.".length);