From 1935f4b045a7da96feaad0cd64ceae62ed6dd987 Mon Sep 17 00:00:00 2001 From: Timothy Farrell Date: Thu, 2 Feb 2017 20:23:33 -0600 Subject: [PATCH] Lock down element properties (allow setting and calling) --- packages/projector/src/projector.js | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/packages/projector/src/projector.js b/packages/projector/src/projector.js index 1f0d95a..f73b213 100644 --- a/packages/projector/src/projector.js +++ b/packages/projector/src/projector.js @@ -2,6 +2,9 @@ import { isFunction } from 'trimkit'; import { supportsPassive } from './utils.js'; +const ALLOWED_SETTABLE_PROPERTIES = 'style lang dataset dir tabIndex title scrollTop scrollLeft className width height'.split( + ' ' +); const OVERRIDING_EVENTS = ['contextmenu', 'dragover', 'drop']; function getEventList(element) { const evtString = element.getAttribute('evl'); @@ -69,7 +72,7 @@ export function Projector(domRoot) { } } element.setAttribute('evl', eventList.join(';')); - } else { + } else if (ALLOWED_SETTABLE_PROPERTIES.includes(name)) { element[name] = value; } } else if (value === null) { @@ -150,9 +153,30 @@ export function Projector(domRoot) { eventCallbacks.push(fn); } + // https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#Properties + function setElementProperty(id, propertyPath, value) { + let ptr = getElement(id); + let path = propertyPath.split('.'); + if (!ALLOWED_SETTABLE_PROPERTIES.includes(path[0])) { + throw new Error('Access Denied'); + } + + do { + ptr = ptr[path.pop()]; + } while (path.length > 1); + return (ptr[path[0]] = value); + } + + // https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#Methods + function runElementMethod(id, method) { + getElement(id)[method](); + } + return { queueFrame, getElement, - subscribe + subscribe, + setElementProperty, + runElementMethod }; }