Use data:// URI rather than blob: URI to avoid XSS

2016-11-04 15:39:39 +00:00 · 2016-11-04 15:39:39 +00:00 · ee1768f644
commit ee1768f644
parent b69e88d4e3
5 changed files with 37 additions and 59 deletions
--- a/src/components/views/messages/MAudioBody.js
+++ b/src/components/views/messages/MAudioBody.js
@ -49,12 +49,10 @@ export default class MAudioBody extends React.Component {
    componentDidMount() {
        var content = this.props.mxEvent.getContent();
        if (content.file !== undefined && this.state.decryptedUrl === null) {
-            decryptFile(content.file).then((blob) => {
-                if (!this._unmounted) {
-                    this.setState({
-                        decryptedUrl: window.URL.createObjectURL(blob),
-                    });
-                }
+            decryptFile(content.file).then((url) => {
+                this.setState({
+                    decryptedUrl: url
+                });
            }).catch((err) => {
                console.warn("Unable to decrypt attachment: ", err)
                // Set a placeholder image when we can't decrypt the image.
@ -63,13 +61,6 @@ export default class MAudioBody extends React.Component {
        }
    }

-    componentWillUnmount() {
-        this._unmounted = true;
-        if (this.state.decryptedUrl) {
-            window.URL.revokeObjectURL(this.state.decryptedUrl);
-        }
-    }
-
    render() {
        var content = this.props.mxEvent.getContent();