From f1f28f61e608b70f437860e82555e3e4a9abd4b9 Mon Sep 17 00:00:00 2001
From: Hakim El Hattab
Date: Thu, 24 Oct 2013 08:59:52 -0400
Subject: plug potential xss vector

---
 js/reveal.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'js/reveal.js')

diff --git a/js/reveal.js b/js/reveal.js
index 3e9b160..a1ae5e4 100644
--- a/js/reveal.js
+++ b/js/reveal.js
@@ -191,9 +191,15 @@ var Reveal = (function(){
 		// Force a layout when the whole page, incl fonts, has loaded
 		window.addEventListener( 'load', layout, false );
 
+		var query = Reveal.getQueryHash();
+
+		// Do not accept new dependencies via query config to avoid
+		// the potential of malicious script injection
+		if( typeof query['dependencies'] !== 'undefined' ) delete query['dependencies'];
+
 		// Copy options over to our config object
 		extend( config, options );
-		extend( config, Reveal.getQueryHash() );
+		extend( config, query );
 
 		// Hide the address bar in mobile browsers
 		hideAddressBar();
-- 
cgit v1.2.3