v1.0.3 Support loading Angie sidebar anywhere and trigger with prompt #2
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| reject(new Error('Angie trigger request timed out')); | ||
| }, timeout); | ||
|
|
||
| const responseHandler = (event: MessageEvent) => { |
Check warning
Code scanning / CodeQL
Missing origin verification in `postMessage` handler Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best way to fix this issue is to ensure that responseHandler verifies the event.origin property before processing the event. Specifically, only events from trusted origins should be processed. Since the SDK accepts an origin option (line 10 in AngieMcpSdkOptions), we should use this property where available, and otherwise default to the current origin (window.location.origin). The code adjustment is fully contained within the handler function at lines 221-228 in src/angie-mcp-sdk.ts.
- We will retrieve the configured origin (from an instance property such as
this.origin). - In
responseHandler, add a check: Ifevent.origindoes not match the expected origin, exit early (return). - We should avoid changing behavior otherwise; just only act on messages from the correct origin.
No new imports are required; all necessary functionality is provided by the DOM and standard JavaScript.
| @@ -218,7 +218,12 @@ | ||
| reject(new Error('Angie trigger request timed out')); | ||
| }, timeout); | ||
|
|
||
| const expectedOrigin = this.options?.origin || window.location.origin; | ||
| const responseHandler = (event: MessageEvent) => { | ||
| if (event.origin !== expectedOrigin) { | ||
| // Ignore messages from unexpected origins | ||
| return; | ||
| } | ||
| if (event.data?.type === MessageEventType.SDK_TRIGGER_ANGIE_RESPONSE && | ||
| event.data?.payload?.requestId === requestId) { | ||
| clearTimeout(timeoutId); |
| throw new Error( 'Iframe not found' ); | ||
| } | ||
| } catch ( error ) { | ||
| console.error( `AngieMcpSdk:Failed to create client for SDK server "${ payload.serverName }":`, error ); |
Check failure
Code scanning / CodeQL
Use of externally-controlled format string High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best way to fix this problem is to ensure that unsanitized user-controlled data is not interpolated directly into format strings. Instead, use a static format string and pass the user-controlled value as a separate argument to console.error, so that any format specifiers in the input are not interpreted as part of the format string. Specifically, change line 71 to use the static string "AngieMcpSdk:Failed to create client for SDK server \"%s\":, with payload.serverName passed as an argument to console.error before error. This fix will involve only a small change at line 71 of src/sdk.ts.
| @@ -68,7 +68,7 @@ | ||
| throw new Error( 'Iframe not found' ); | ||
| } | ||
| } catch ( error ) { | ||
| console.error( `AngieMcpSdk:Failed to create client for SDK server "${ payload.serverName }":`, error ); | ||
| console.error( 'AngieMcpSdk:Failed to create client for SDK server "%s":', payload.serverName, error ); | ||
| } | ||
| break; | ||
|
|
| } | ||
|
|
||
| export function setupMessageListener(): void { | ||
| window.addEventListener( 'message', function( event ) { |
Check warning
Code scanning / CodeQL
Missing origin verification in `postMessage` handler Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, the code should verify that the event.origin of the incoming postMessage events matches a list of trusted origins before taking any action. This check should occur at the start of the message handler. The best way to implement this is to define an allowlist of trusted origins (ideally, somewhere easy to update/maintain, e.g., as a constant at the top), and compare event.origin against this list before executing any logic based on the message. If the origin is not trusted, the message should be ignored, potentially with a warning in the console for easier debugging.
Required changes:
- Add a constant (e.g.,
TRUSTED_ORIGIN) or an array (e.g.,TRUSTED_ORIGINS) containing the expected/trusted domain(s) at the top of the file or before the message handler. - Modify the message handler in
setupMessageListener()to checkevent.originbefore acting on the message. - No new libraries are required, as this can be accomplished with standard JS/TS features.
| @@ -253,8 +253,18 @@ | ||
| }; | ||
| } | ||
|
|
||
| // Define trusted origins for postMessage validation. | ||
| // TODO: Update this to the specific trusted origin(s) for your application. | ||
| const TRUSTED_ORIGINS = [ | ||
| 'https://www.example.com', // Replace with your actual trusted origin(s) | ||
| ]; | ||
|
|
||
| export function setupMessageListener(): void { | ||
| window.addEventListener( 'message', function( event ) { | ||
| if (!TRUSTED_ORIGINS.includes(event.origin)) { | ||
| console.warn(`Untrusted message origin received: ${event.origin}`); | ||
| return; | ||
| } | ||
| if ( event.data && event.data.type === 'toggleAngieSidebar' ) { | ||
| const { force, skipTransition } = event.data.payload || {}; | ||
| if ( window.toggleAngieSidebar ) { |
matipojo
changed the title
matipojo
changed the title
1 participant
✨ PR Description
Purpose: Add functionality to load Angie sidebar anywhere in WordPress admin and trigger AI responses through programmatic prompts.
Main changes:
Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀