From 93791063d02bb8f5eb0764108ab21693a2d427fa Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan.ferrer.toribio@gmail.com>
Date: Sat, 23 Jul 2016 00:36:38 +0200
Subject: [PATCH] Mejorada seguridad contra ataques XSS

---
 web/index.php           |  1 +
 web/js/hedera/module.js |  4 ++--
 web/js/vn/builder.js    | 14 ++------------
 web/js/vn/locale.js     |  2 +-
 4 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/web/index.php b/web/index.php
index fb8efb50..6ef7df61 100755
--- a/web/index.php
+++ b/web/index.php
@@ -110,6 +110,7 @@ setcookie ('hedera_version', Web::getVersion ());
 
 $basePath = 'pages/'. $page;
 
+header ("Content-Security-Policy: default-src 'self'; img-src *");
 header ('Content-Type: text/html; charset=utf-8');
 
 if (file_exists ($basePath))
diff --git a/web/js/hedera/module.js b/web/js/hedera/module.js
index 5df67f91..398e16fb 100644
--- a/web/js/hedera/module.js
+++ b/web/js/hedera/module.js
@@ -68,7 +68,7 @@ Vn.Module = new Class
 		var klassName = this.toCamelCase (this.moduleName);
 		
 		try {
-			this.klass = eval (klassName);
+			this.klass = Vn[klassName];
 		}
 		catch (e)
 		{
@@ -85,7 +85,7 @@ Vn.Module = new Class
 	
 	,toCamelCase: function (dashedName)
 	{
-		var camelCase = 'Vn.'+ dashedName.charAt (0).toUpperCase ();
+		var camelCase = dashedName.charAt (0).toUpperCase ();
 		camelCase += dashedName.substr (1).replace (/\w\-\w/g, function (token)
 		{
 			return token.charAt (0) + token.charAt (2).toUpperCase ();
diff --git a/web/js/vn/builder.js b/web/js/vn/builder.js
index 1560f086..40b565e4 100644
--- a/web/js/vn/builder.js
+++ b/web/js/vn/builder.js
@@ -527,19 +527,9 @@ Vn.Builder = new Class
 	,_getMethod: function (value)
 	{	
 		if (this.signalData)
-			var methodName = 'this.signalData.'+ value;
+			var method = this.signalData[value];
 		else
-			var methodName = value;
-
-		var method;
-
-		try {
-			method = eval (methodName);
-		}
-		catch (e)
-		{
-			method = undefined;
-		}
+			var method = window[value];
 		
 		if (method === undefined)
 			this._showError ('Function \'%s\' not found', value);
diff --git a/web/js/vn/locale.js b/web/js/vn/locale.js
index ce298c3a..7e153546 100644
--- a/web/js/vn/locale.js
+++ b/web/js/vn/locale.js
@@ -44,7 +44,7 @@ Vn.Locale =
 		if (request.status == 200)
 		{
 			try {
-				this.add (eval ('('+ request.responseText +')'));
+				this.add (JSON.parse (request.responseText));
 				success = true;
 			}
 			catch (e) {