Mejorada seguridad contra ataques XSS

2016-07-23 00:36:38 +02:00 · 2016-07-23 00:36:38 +02:00 · 93791063d0
parent 19731fd618
commit 93791063d0
4 changed files with 6 additions and 15 deletions
--- a/web/index.php
+++ b/web/index.php
@ -110,6 +110,7 @@ setcookie ('hedera_version', Web::getVersion ());

 $basePath = 'pages/'. $page;

+header ("Content-Security-Policy: default-src 'self'; img-src *");
 header ('Content-Type: text/html; charset=utf-8');

 if (file_exists ($basePath))
--- a/web/js/hedera/module.js
+++ b/web/js/hedera/module.js
@ -68,7 +68,7 @@ Vn.Module = new Class
 		var klassName = this.toCamelCase (this.moduleName);
 		
 		try {
-			this.klass = eval (klassName);
+			this.klass = Vn[klassName];
 		}
 		catch (e)
 		{
@ -85,7 +85,7 @@ Vn.Module = new Class
 	
 	,toCamelCase: function (dashedName)
 	{
-		var camelCase = 'Vn.'+ dashedName.charAt (0).toUpperCase ();
+		var camelCase = dashedName.charAt (0).toUpperCase ();
 		camelCase += dashedName.substr (1).replace (/\w\-\w/g, function (token)
 		{
 			return token.charAt (0) + token.charAt (2).toUpperCase ();
--- a/web/js/vn/builder.js
+++ b/web/js/vn/builder.js
@ -527,19 +527,9 @@ Vn.Builder = new Class
 	,_getMethod: function (value)
 	{	
 		if (this.signalData)
-			var methodName = 'this.signalData.'+ value;
+			var method = this.signalData[value];
 		else
-			var methodName = value;
-
-		var method;
-
-		try {
-			method = eval (methodName);
-		}
-		catch (e)
-		{
-			method = undefined;
-		}
+			var method = window[value];
 		
 		if (method === undefined)
 			this._showError ('Function \'%s\' not found', value);
--- a/web/js/vn/locale.js
+++ b/web/js/vn/locale.js
@ -44,7 +44,7 @@ Vn.Locale =
 		if (request.status == 200)
 		{
 			try {
-				this.add (eval ('('+ request.responseText +')'));
+				this.add (JSON.parse (request.responseText));
 				success = true;
 			}
 			catch (e) {