Mirrors/webamp
1
0
Fork 0
mirror of https://github.com/captbaritone/webamp.git synced 2026-01-23 02:15:01 +00:00
Code Issues Projects Releases Wiki Activity

Don't allow evaling JS in Milkdrop preset files (#1308)

Browse source 
* Don't allow evaling JS in Milkdrop preset files

* Add link
This commit is contained in:
Jordan Eldredge 2025-07-14 16:31:27 -07:00 committed by GitHub
parent 910995d469
commit b7d759618e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
packages/webamp/js/components/MilkdropWindow/Visualizer.tsx
View file

@ -59,6 +59,11 @@ function Visualizer({ analyser, width, height }: Props) {
meshWidth: 32,
meshHeight: 24,
pixelRatio: window.devicePixelRatio || 1,
// Webamp may support rendering Milkdrop presets from untrusted sources.
// By using `onlyUseWASM` here we instruct Butterchurn not to `eval`
// JavaScript code included in older Butterchurn preset `.json` files.
// https://jordaneldredge.com/blog/speeding-up-winamps-music-visualizer-with-webassembly/#security
onlyUseWASM: true,
}
);
_visualizer.connectAudio(analyser);