When the Widget is publishing a message, a malformed message can be posted to the message queue by injecting arbitrary HTML code. This can lead to information disclosure, for example, the full website title or page description. Widget users should apply the following mitigation to prevent such attacks. To prevent these attacks, users should validate the message received from the Widget by checking the source of the message. This can be done by adding an event listener for the message event and checking the source of the event. Widget users should also validate the data sent by the Widget by checking the data type of the data. This can be done by adding an event listener for the data event and checking the data type of the event. The following examples validate the message sent by the Widget and the data sent by the Widget. script type='text/javascript'> function doSomething() { var widget = new Yandex.Widget({ id: 'ywid_123456', // The widget’s unique identifier properties: { access: { control: 'YandexAccessibility' } }, // Additional widget properties here. // Widget options here. }); // Widget code here. widget.send({ message: 'script>alert(1)/script>' }); } /script>
Mitigation for the Widget’s Message Event
The following mitigation should be applied when the Widget sends a message.
script type='text/javascript'> function doSomething() { var widget = new Yandex.Widget({ id: 'ywid_123456', // The widget’s unique identifier properties: { access: { control: 'YandexAccessibility' } }, // Additional widget properties here. // Widget options here. }); // Widget code here. widget.send({ message: '
Timeline
Published on: 11/17/2022 00:15:00 UTC
Last modified on: 11/21/2022 18:23:00 UTC