Skips some url parameters that can inject scripts.

This commit is contained in:
damencho 2016-09-08 13:12:56 -05:00
parent 62c4ff719e
commit d65479abc9
1 changed files with 6 additions and 0 deletions

View File

@ -36,6 +36,12 @@ var URLProcessor = {
if (key.indexOf("config.") === 0) { if (key.indexOf("config.") === 0) {
confObj = configJSON.config; confObj = configJSON.config;
confKey = key.substr("config.".length); confKey = key.substr("config.".length);
// prevent passing some parameters which can inject scripts
if (confKey === 'analyticsScriptUrl'
|| confKey === 'callStatsCustomScriptUrl')
continue;
} else if (key.indexOf("interfaceConfig.") === 0) { } else if (key.indexOf("interfaceConfig.") === 0) {
confObj = configJSON.interfaceConfig; confObj = configJSON.interfaceConfig;
confKey = key.substr("interfaceConfig.".length); confKey = key.substr("interfaceConfig.".length);