Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #1114 possible xss issue #1186

Merged
merged 2 commits into from
May 18, 2017
Merged

Fixes #1114 possible xss issue #1186

merged 2 commits into from
May 18, 2017

Conversation

mkendall07
Copy link
Member

Type of change

  • Refactoring (no functional changes, no api changes)

Description of change

Addresses #1114

Other information

This is super critical code, so review should be rigorous.

dbemiller
dbemiller approved these changes May 17, 2017
View reviewed changes
Copy link
Contributor

@dbemiller dbemiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The substance of the diff looks good. Obviously going to have to fix the conflicts & eslint style complaints before it'll let you merge.

test/spec/unit/pbjs_api_spec.js Outdated
@@ -573,8 +580,9 @@ describe('Unit: Prebid Module', function () {
it('should place the url inside an iframe on the doc', function () {
adResponse.adUrl = 'http://server.example.com/ad/ad.js';
$$PREBID_GLOBAL$$.renderAd(doc, bidId);
var iframe = '<IFRAME SRC="' + adResponse.adUrl + '" FRAMEBORDER="0" SCROLLING="no" MARGINHEIGHT="0" MARGINWIDTH="0" TOPMARGIN="0" LEFTMARGIN="0" ALLOWTRANSPARENCY="true" WIDTH="' + adResponse.width + '" HEIGHT="' + adResponse.height + '"></IFRAME>';
assert.ok(doc.write.calledWith(iframe), 'url was written to iframe in doc');
//var iframe = '<IFRAME SRC="' + adResponse.adUrl + '" FRAMEBORDER="0" SCROLLING="no" MARGINHEIGHT="0" MARGINWIDTH="0" TOPMARGIN="0" LEFTMARGIN="0" ALLOWTRANSPARENCY="true" WIDTH="' + adResponse.width + '" HEIGHT="' + adResponse.height + '"></IFRAME>';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to get rid of code, over leaving it commented.

@mkendall07 mkendall07 force-pushed the improvement/prevent_xss_iframe branch from 2b67af5 to 1fd74a7 Compare May 18, 2017 21:40
@mkendall07 mkendall07 merged commit 18955eb into master May 18, 2017
@mkendall07 mkendall07 deleted the improvement/prevent_xss_iframe branch May 18, 2017 22:10
outoftime pushed a commit to Genius/Prebid.js that referenced this pull request May 24, 2017
Merge branch 'master' of https://github.com/prebid/Prebid.js into pre…
26da027 
…built

* 'master' of https://github.com/prebid/Prebid.js: (23 commits)
  Increment pre version
  Probed 0.24.0 Release
  Beachfront adapter - add ad unit size (prebid#1183)
  Thoughtleadr adapter - fix postMessage (prebid#1207)
  When prebid server issues a no-bid response, call addBidResponse for every adUnit requested (prebid#1204)
  Improvement/timeout xhr (prebid#1172)
  Add native support (prebid#1072)
  Improvement/alias queue (prebid#1156)
  Updated documentaion (prebid#1160)
  Improvement/prebid iframes amp pages (prebid#1119)
  Fixes prebid#1114 possible xss issue (prebid#1186)
  Allowed setTargetingForGPTAsync() to target specific ad unit codes. (prebid#1158)
  updated tag (prebid#1212)
  Common user-sync (prebid#1144)
  Rename secureCreatives file and lint (prebid#1203)
  HIRO Media: Remove batching mechanism and use AJAX instead of JSONP (prebid#1133)
  Add Support for DigiTrust in Rubicon Adapter (prebid#1201)
  Upgrade linters to ESLint with stricter code style (prebid#1111)
  Add dynamic bidfloor parameter to Smart Adserver Adapter (prebid#1194)
  Bug fix: bids served by secure creatives does not get pushed into _winningBids (prebid#1192)
  ...
vzhukovsky added a commit to aol/Prebid.js that referenced this pull request Jul 17, 2017
@vzhukovsky
Merge pull request prebid#109 in AOLP_ADS_JS/prebid.js from release/1…
ea3bf0f 
….23.0 to aolgithub-master

* commit '136fc37637749a764070c35c03e7e87a5c157947': (33 commits)
  Added changelog entry.
  Implemented passing key values feature.
  Update code to ESlint rules.
  Prebid 0.24.1 Release
  tests: drop ie9 browserstack test
  Audience Network: separate size from format (prebid#1218)
  Bugfix/target filtering api fix (prebid#1220)
  Map sponsor request param to endpoint param (prebid#1219)
  Increment pre version
  Probed 0.24.0 Release
  Beachfront adapter - add ad unit size (prebid#1183)
  Thoughtleadr adapter - fix postMessage (prebid#1207)
  When prebid server issues a no-bid response, call addBidResponse for every adUnit requested (prebid#1204)
  Improvement/timeout xhr (prebid#1172)
  Add native support (prebid#1072)
  Improvement/alias queue (prebid#1156)
  Updated documentaion (prebid#1160)
  Improvement/prebid iframes amp pages (prebid#1119)
  Fixes prebid#1114 possible xss issue (prebid#1186)
  Allowed setTargetingForGPTAsync() to target specific ad unit codes. (prebid#1158)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbemiller dbemiller dbemiller approved these changes

Assignees

@dbemiller dbemiller

Labels
LGTM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkendall07 @dbemiller @matthewlane