Prevent raw content being served from storage. (#7443)

TODO: Detailed description to be added once deployed.
2026-01-06 08:30:13 +01:00 · 2023-08-28 18:56:57 +02:00
parent fb6c3dc8b2
commit 650e620e2b
2 changed files with 12 additions and 4 deletions
--- a/appengine/storage.js
+++ b/appengine/storage.js
@@ -130,6 +130,8 @@ BlocklyStorage.handleRequest_ = function() {
          BlocklyStorage.alert(BlocklyStorage.HASH_ERROR.replace('%1',
              window.location.hash));
        } else {
+          // Remove poison line to prevent raw content from being served.
+          data = data.replace(/^\{\[\(\< UNTRUSTED CONTENT \>\)\]\}\n/, '');
          BlocklyStorage.loadXml_(data, BlocklyStorage.httpRequest_.workspace);
        }
      }