Skip to content

Comments

DP-41580-a11y-fix-editor-high-zoom#3105

Draft
clairesunstudio wants to merge 12 commits intodevelopfrom
DP-41580-a11y-fix-editor-high-zoom
Draft

DP-41580-a11y-fix-editor-high-zoom#3105
clairesunstudio wants to merge 12 commits intodevelopfrom
DP-41580-a11y-fix-editor-high-zoom

Conversation

@clairesunstudio
Copy link
Contributor

@clairesunstudio clairesunstudio commented Sep 2, 2025

No description provided.

@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 2, 2025 20:20 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 2, 2025 20:20 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 2, 2025 21:46 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 2, 2025 21:46 Destroyed
@arthurbaghdas
Copy link
Collaborator

arthurbaghdas commented Sep 2, 2025
edited
Loading

Fails
🚫 Add a changelog YAML file to this PR

Generated by 🚫 dangerJS against 4c823a6

@clairesunstudio clairesunstudio marked this pull request as draft September 3, 2025 00:24
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 9, 2025 04:30 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 9, 2025 04:30 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 30, 2025 14:19 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 30, 2025 14:19 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 30, 2025 20:03 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat September 30, 2025 20:03 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 14:25 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 14:26 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 14:29 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 14:29 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 22:04 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 22:04 Destroyed
prisma-cloud-devsecops[bot]
prisma-cloud-devsecops bot reviewed Oct 2, 2025
View reviewed changes
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

docroot/themes/custom/mass_admin_theme/js/toolbar-zoom-override.js
if (role !== "button" && systemPath && systemPath.trim() !== "") {
closeToolbarTray();
}
}, true);
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  Insecure communication using postMessage and event listeners
    File: toolbar-zoom-override.js | Checkov ID: CKV3_SAST_74


How To Fix

const trustedOrigin = 'https://trusted.com';

window.contentWindow.postMessage(data, trustedOrigin);
window.addEventListener('message', function(event) {
if (event.origin !== trustedOrigin) return;
// Process event.data after verifying event.origin
}, false);


Description

CWE: CWE-345: Insufficient Verification of Data Authenticity
OWASP: A01:2021-Broken Access Control

In web applications, the postMessage method and the addEventListener for message events are used to facilitate cross-origin communication. When misconfigured, these can lead to security vulnerabilities such as data leakage or unauthorized actions.

One common vulnerability arises when using the wildcard origin (*) with the postMessage method. This allows any website to receive the message, potentially leading to sensitive information being exposed.

Similarly, not verifying the origin of the message in an addEventListener handler can lead to processing messages from malicious sources.

For example, vulnerable code might look like:

javascript
window.contentWindow.postMessage(data, '*');
window.addEventListener('message', function(event) {
    // Process event.data without verifying event.origin
}, false);

@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 2, 2025 22:04 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 7, 2025 04:28 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 14, 2025 04:30 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 21, 2025 04:26 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat October 28, 2025 04:27 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat November 4, 2025 04:26 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat November 11, 2025 04:27 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat November 18, 2025 04:25 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat November 25, 2025 04:24 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat December 2, 2025 04:25 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat December 9, 2025 04:24 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat December 16, 2025 04:24 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat December 23, 2025 04:25 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat December 30, 2025 04:26 Destroyed
@arthurbaghdas arthurbaghdas temporarily deployed to Tugboat January 6, 2026 04:44 Destroyed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prisma-cloud-devsecops prisma-cloud-devsecops[bot] prisma-cloud-devsecops[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clairesunstudio @arthurbaghdas