From bdb1dfc17653ca327c2656922a651762fd222a24 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 11 Oct 2021 11:13:06 +0200 Subject: [PATCH] Safer iframe creation --- client/src/assets/player/utils.ts | 16 ++++++++-------- shared/core-utils/common/url.ts | 13 ++----------- 2 files changed, 10 insertions(+), 19 deletions(-) diff --git a/client/src/assets/player/utils.ts b/client/src/assets/player/utils.ts index f2e9adb14..cbca1065f 100644 --- a/client/src/assets/player/utils.ts +++ b/client/src/assets/player/utils.ts @@ -1,4 +1,3 @@ -import { escapeHTML } from '@shared/core-utils/renderer' import { VideoFile } from '@shared/models' function toTitleCase (str: string) { @@ -44,14 +43,15 @@ function isMobile () { } function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) { - const title = escapeHTML(embedTitle) + const iframe = document.createElement('iframe') - return '' + iframe.title = embedTitle + iframe.src = embedUrl + iframe.frameBorder = '0' + iframe.allowFullscreen = true + iframe.sandbox.add('allow-same-origin', 'allow-scripts', 'allow-popups') + + return iframe.outerHTML } function videoFileMaxByResolution (files: VideoFile[]) { diff --git a/shared/core-utils/common/url.ts b/shared/core-utils/common/url.ts index 52ed247c4..9c111cbcc 100644 --- a/shared/core-utils/common/url.ts +++ b/shared/core-utils/common/url.ts @@ -53,7 +53,7 @@ function decorateVideoLink (options: { }) { const { url } = options - const params = generateParams(window.location.search) + const params = new URLSearchParams() if (options.startTime !== undefined && options.startTime !== null) { const startTimeInt = Math.floor(options.startTime) @@ -85,7 +85,7 @@ function decoratePlaylistLink (options: { }) { const { url } = options - const params = generateParams(window.location.search) + const params = new URLSearchParams() if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition) @@ -119,12 +119,3 @@ function buildUrl (url: string, params: URLSearchParams) { return url } - -function generateParams (url: string) { - const params = new URLSearchParams(window.location.search) - // Unused parameters in embed - params.delete('videoId') - params.delete('resume') - - return params -}