search

eosdac / eosdac-client-legacy

This is the frontend to interact with the DAC smart contracts.
MIT License
14 stars 19 forks source link

Do not download logo files during build #89

Closed michaeljyeates closed 5 years ago

michaeljyeates commented 5 years ago

We shouldn't download and host logo files from the same domain as the member client, if the logo is an svg then it can trigger an RCE vulnerability.

Eventually we will download the logos but we have to put them into a different directory and serve from a different domain

piecesnbits commented 5 years ago

my suggestion would be to have the logo url(s) inside the theme.json file.

michaeljyeates commented 5 years ago

That can be done, can you make an example?

piecesnbits commented 5 years ago

something like this... image

michaeljyeates commented 5 years ago

Thanks, ill add those to my build script (lowercase though)

We will also need one for the favicon, and both of the currency icons in the header. If we launch on other chains, we may need an easy way to override this without forking the client code

michaeljyeates commented 5 years ago 
    "images": {
        "logo_url": "${logo_url}",
        "logo_notext_url": "${logo_notext_url}",
        "background_url": "${background_url}",
        "favicon_url": "${favicon_url}",
        "dac_currency_url": "${dac_currency_url}",
        "system_currency_url": "${system_currency_url}"
    }
piecesnbits commented 5 years ago

ok, I'll add the other images too. however, the favicon will only update after a new build/dev command because it's a file that is needed during build. the dac_currency and system_currency symbols must be handled via an icon font instead of plain images. the background url is already configurable via css.