Resolved vulnerability with using unsanitized strings

Author: lincolnfrog

README.md

@@ -51,16 +51,6 @@ This package lives in the npm index.
 
 **Current builds are not working on Windows ([#261](https://github.com/googlevr/vrview/issues/261))**
 
-Relevant commands:
-```shell
-$ npm run build # builds the iframe embed and JS API (full and minified versions).
-
-# Building
-
-This project uses `browserify` to manage dependencies and build. `watchify` is
-especially convenient to preserve the write-and-reload model of development.
-This package lives in the npm index.
-
 Relevant commands:
 ```shell
 $ npm run build # builds the iframe embed and JS API (full and minified versions).
@@ -77,3 +67,7 @@ $ npm run watch-api # auto-builds the JS API code whenever any source changes.
 ```
 As of 2017/06/13, the pre-built js artifacts have been removed from source
 control. You must run `npm run build` prior to trying any of the examples.
+
+# Release Notes
+## 2.0.2
+Close vulnerability with unsanitized user strings being injected into DOM

package.json

@@ -1,6 +1,6 @@
 {
   "name": "vrview",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "Embed VR content into your webpage.",
   "main": "index.js",
   "dependencies": {

src/embed/main.js

@@ -300,16 +300,20 @@ function onRenderError(message) {
   showError('Render: ' + message);
 }
 
-function showError(message, opt_title) {
+function showError(message) {
   // Hide loading indicator.
   loadIndicator.hide();
 
+  // Sanitize `message` as it could contain user supplied
+  // values. Re-add the space character as to not modify the
+  // error messages used throughout the codebase.
+  message = encodeURI(message).replace(/%20/g, ' ');
+
   var error = document.querySelector('#error');
   error.classList.add('visible');
   error.querySelector('.message').innerHTML = message;
 
-  var title = (opt_title !== undefined ? opt_title : 'Error');
-  error.querySelector('.title').innerHTML = title;
+  error.querySelector('.title').innerHTML = 'Error';
 }
 
 function hideError() {

src/embed/scene-info.js

@@ -42,9 +42,9 @@ function SceneInfo(opt_params) {
     muted: opt_params.muted
   };
 
-  this.image = params.image;
-  this.preview = params.preview;
-  this.video = params.video;
+  this.image = params.image !== undefined ? encodeURI(params.image) : undefined;
+  this.preview = params.preview !== undefined ? encodeURI(params.preview) : undefined;
+  this.video = params.video !== undefined ? encodeURI(params.video) : undefined;
   this.defaultYaw = THREE.Math.degToRad(params.defaultYaw || 0);
 
   this.isStereo = Util.parseBoolean(params.isStereo);