postMEssage第二个参数存在中危漏洞

[ZhangXiang521]

postMessage: function(type, data) {
if (global.parent !== global) {
global.parent.postMessage(JSON3.stringify({ global.parent.postMessage(JSON3.stringify({
global.parent.postMessage(JSON.stringify({ global.parent.postMessage(JSON.stringify({
windowId: module.exports.currentWindowId
, type: type
, data: data || ''
}), '');
typeof global.postMessage === 'object') && (!browser.isKonqueror()); } else {
debug('Cannot postMessage, no parent window.', type, data);
}
}
使用代码安全卫士扫描出
postMessage第二个参数存在中危漏洞，如何整改，我可以传window.location.origin么，会不会影响源代码的正常功能

[auvipy]

can you please elaborate more on english? thanks

[ZhangXiang521]

postMessage: function(type, data) {
if (global.parent !== global) {
global.parent.postMessage(JSON3.stringify({ global.parent.postMessage(JSON3.stringify({
global.parent.postMessage(JSON.stringify({ global.parent.postMessage(JSON.stringify({
windowId: module.exports.currentWindowId
, type: type
, data: data || ''
}), '');
typeof global.postMessage === 'object') && (!browser.isKonqueror()); } else {
debug('Cannot postMessage, no parent window.', type, data);
}
Scan with Code Security Guard
There is a medium risk vulnerability in the second parameter of postMessage. How can I fix it? Can I pass window.local.origin? Will it affect the normal function of the source code