Safer iframe creation

client/src/assets/player/utils.ts

@@ -1,4 +1,3 @@
-import { escapeHTML } from '@shared/core-utils/renderer'
 import { VideoFile } from '@shared/models'
 
 function toTitleCase (str: string) {
@@ -44,14 +43,15 @@ function isMobile () {
 }
 
 function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) {
-  const title = escapeHTML(embedTitle)
+  const iframe = document.createElement('iframe')
 
-  return '<iframe width="560" height="315" ' +
-    'sandbox="allow-same-origin allow-scripts allow-popups" ' +
-    'title="' + title + '" ' +
-    'src="' + embedUrl + '" ' +
-    'frameborder="0" allowfullscreen>' +
-    '</iframe>'
+  iframe.title = embedTitle
+  iframe.src = embedUrl
+  iframe.frameBorder = '0'
+  iframe.allowFullscreen = true
+  iframe.sandbox.add('allow-same-origin', 'allow-scripts', 'allow-popups')
+
+  return iframe.outerHTML
 }
 
 function videoFileMaxByResolution (files: VideoFile[]) {

shared/core-utils/common/url.ts

@@ -53,7 +53,7 @@ function decorateVideoLink (options: {
 }) {
   const { url } = options
 
-  const params = generateParams(window.location.search)
+  const params = new URLSearchParams()
 
   if (options.startTime !== undefined && options.startTime !== null) {
     const startTimeInt = Math.floor(options.startTime)
@@ -85,7 +85,7 @@ function decoratePlaylistLink (options: {
 }) {
   const { url } = options
 
-  const params = generateParams(window.location.search)
+  const params = new URLSearchParams()
 
   if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition)
 
@@ -119,12 +119,3 @@ function buildUrl (url: string, params: URLSearchParams) {
 
   return url
 }
-
-function generateParams (url: string) {
-  const params = new URLSearchParams(window.location.search)
-  // Unused parameters in embed
-  params.delete('videoId')
-  params.delete('resume')
-
-  return params
-}