Use data:// URI rather than blob: URI to avoid XSS

2016-11-04 15:39:39 +00:00 · 2016-11-04 15:39:39 +00:00 · 8f778f54fd
commit 8f778f54fd
parent 6ea0085290
5 changed files with 37 additions and 59 deletions
--- a/src/components/views/messages/MFileBody.js
+++ b/src/components/views/messages/MFileBody.js
@ -22,6 +22,7 @@ var MatrixClientPeg = require('../../../MatrixClientPeg');
 var sdk = require('../../../index');
 var DecryptFile = require('../../../utils/DecryptFile');

+
 module.exports = React.createClass({
    displayName: 'MFileBody',

@ -66,12 +67,10 @@ module.exports = React.createClass({
        var content = this.props.mxEvent.getContent();
        var self = this;
        if (content.file !== undefined && this.state.decryptedUrl === null) {
-            DecryptFile.decryptFile(content.file).then(function(blob) {
-                if (!self._unmounted) {
-                    self.setState({
-                        decryptedUrl: window.URL.createObjectURL(blob),
-                    });
-                }
+            DecryptFile.decryptFile(content.file).then(function(url) {
+                self.setState({
+                    decryptedUrl: url,
+                });
            }).catch(function (err) {
                console.warn("Unable to decrypt attachment: ", err)
                // Set a placeholder image when we can't decrypt the image.
@ -80,13 +79,6 @@ module.exports = React.createClass({
        }
    },

-    componentWillUnmount: function() {
-        this._unmounted = true;
-        if (this.state.decryptedUrl) {
-            window.URL.revokeObjectURL(this.state.decryptedUrl);
-        }
-    },
-
    render: function() {
        var content = this.props.mxEvent.getContent();