postMEssage第二个参数存在中危漏洞 #674

ZhangXiang521 · 2025-04-07T08:32:04Z

postMessage: function(type, data) {
if (global.parent !== global) {
global.parent.postMessage(JSON3.stringify({ global.parent.postMessage(JSON3.stringify({
global.parent.postMessage(JSON.stringify({ global.parent.postMessage(JSON.stringify({
windowId: module.exports.currentWindowId
, type: type
, data: data || ''
}), '');
typeof global.postMessage === 'object') && (!browser.isKonqueror()); } else {
debug('Cannot postMessage, no parent window.', type, data);
}
}
使用代码安全卫士扫描出
postMessage第二个参数存在中危漏洞，如何整改，我可以传window.location.origin么，会不会影响源代码的正常功能

auvipy · 2025-04-08T09:27:39Z

can you please elaborate more on english? thanks

ZhangXiang521 · 2025-04-09T00:37:19Z

postMessage: function(type, data) {
if (global.parent !== global) {
global.parent.postMessage(JSON3.stringify({ global.parent.postMessage(JSON3.stringify({
global.parent.postMessage(JSON.stringify({ global.parent.postMessage(JSON.stringify({
windowId: module.exports.currentWindowId
, type: type
, data: data || ''
}), '');
typeof global.postMessage === 'object') && (!browser.isKonqueror()); } else {
debug('Cannot postMessage, no parent window.', type, data);
}
Scan with Code Security Guard
There is a medium risk vulnerability in the second parameter of postMessage. How can I fix it? Can I pass window.local.origin? Will it affect the normal function of the source code

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

postMEssage第二个参数存在中危漏洞 #674

postMEssage第二个参数存在中危漏洞 #674

ZhangXiang521 commented Apr 7, 2025

auvipy commented Apr 8, 2025

ZhangXiang521 commented Apr 9, 2025

postMEssage第二个参数存在中危漏洞 #674

postMEssage第二个参数存在中危漏洞 #674

Comments

ZhangXiang521 commented Apr 7, 2025

auvipy commented Apr 8, 2025

ZhangXiang521 commented Apr 9, 2025