Verify the names parameter

2012-03-15 21:25:19 -05:00 · 2012-03-15 21:25:19 -05:00 · 2508d2c12b
commit 2508d2c12b
parent 6051720ecb
1 changed files with 6 additions and 0 deletions
--- a/src/fonts.js
+++ b/src/fonts.js
@ -500,6 +500,12 @@ var FontLoader = {
      // The postMessage() hackery was added to work around chrome bug
      // 82402.

+      // Validate the names parameter -- the values can used to construct HTML.
+      if (!/^\w+$/.test(names.join(''))) {
+        error('Invalid font name(s): ' + names.join());
+        return; // Keep the return in case if error() did not throw.
+      }
+
      var div = document.createElement('div');
      div.setAttribute('style',
                       'visibility: hidden;' +