Allow only a whitelist of settings attrs to be overridden

Makes it more secure, since the enclosed converse object as access to privileged data, we don't want people to inject code that could expose that.

Allow only a whitelist of settings attrs to be overridden
Makes it more secure, since the enclosed converse object as access to privileged data, we don't want people to inject code that could expose that.
75b61fda · JC Brand · 502b9225 · 75b61fda
Commit 75b61fda authored Aug 24, 2013 by JC Brand
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

converse.js converse.js +18 -2

No files found.
--- a/converse.js
+++ b/converse.js
@@ -47,14 +47,30 @@
        this.animate = true;
        this.auto_list_rooms = false;
        this.auto_subscribe = false;
-        this.bosh_service_url = ''; // The BOSH connection manager URL.
+        this.bosh_service_url = undefined; // The BOSH connection manager URL.
        this.debug = false;
        this.hide_muc_server = false;
        this.i18n = locales.en;
        this.prebind = false;
        this.show_controlbox_by_default = false;
        this.xhr_user_search = false;
-        _.extend(this, settings);
+
+        // Allow only the whitelisted settings attributes to be overwritten,
+        // nothing else.
+        whitelist = [
+            'animate',
+            'auto_list_rooms',
+            'auto_subscribe',
+            'bosh_service_url',
+            'fullname',
+            'debug',
+            'hide_muc_server',
+            'i18n',
+            'prebind',
+            'show_controlbox_by_default',
+            'xhr_user_search'
+        ];
+        _.extend(this, _.pick(settings, whitelist));

        var __ = $.proxy(function (str) {
            var t = this.i18n.translate(str);