Custom project thumbnail website

bzzzz · August 26, 2022, 6:28am

only if website allows to do that in onmessage

snap lets websites postMessage javascript code to execute:

api.js:

window.onmessage = function (event) {
    // make the API accessible from outside an iframe
    var ide = world.children[0];
    if (!isNil(event.data.selector)) {
        window.top.postMessage(
            {
                selector: event.data.selector,
                response: ide[event.data.selector].apply(ide, event.data.params)
            },
            '*'
        );
    }
};

morphic.js:

Morph.prototype.evaluateString = function (code) {
    var result;

    try {
        result = eval(code);
        this.changed();
    } catch (err) {
        this.inform(err);
    }
    return result;
};

joecooldoo · August 26, 2022, 2:58pm

ok, but any website can run code through api.js to run malicious code.

bzzzz · August 26, 2022, 3:49pm

yes, if website has access to snap's window object