Safer iframe creation

This commit is contained in:
Chocobozzz 2021-10-11 11:13:06 +02:00
parent 9b513232ac
commit bdb1dfc176
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
2 changed files with 10 additions and 19 deletions

View File

@ -1,4 +1,3 @@
import { escapeHTML } from '@shared/core-utils/renderer'
import { VideoFile } from '@shared/models' import { VideoFile } from '@shared/models'
function toTitleCase (str: string) { function toTitleCase (str: string) {
@ -44,14 +43,15 @@ function isMobile () {
} }
function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) { function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) {
const title = escapeHTML(embedTitle) const iframe = document.createElement('iframe')
return '<iframe width="560" height="315" ' + iframe.title = embedTitle
'sandbox="allow-same-origin allow-scripts allow-popups" ' + iframe.src = embedUrl
'title="' + title + '" ' + iframe.frameBorder = '0'
'src="' + embedUrl + '" ' + iframe.allowFullscreen = true
'frameborder="0" allowfullscreen>' + iframe.sandbox.add('allow-same-origin', 'allow-scripts', 'allow-popups')
'</iframe>'
return iframe.outerHTML
} }
function videoFileMaxByResolution (files: VideoFile[]) { function videoFileMaxByResolution (files: VideoFile[]) {

View File

@ -53,7 +53,7 @@ function decorateVideoLink (options: {
}) { }) {
const { url } = options const { url } = options
const params = generateParams(window.location.search) const params = new URLSearchParams()
if (options.startTime !== undefined && options.startTime !== null) { if (options.startTime !== undefined && options.startTime !== null) {
const startTimeInt = Math.floor(options.startTime) const startTimeInt = Math.floor(options.startTime)
@ -85,7 +85,7 @@ function decoratePlaylistLink (options: {
}) { }) {
const { url } = options const { url } = options
const params = generateParams(window.location.search) const params = new URLSearchParams()
if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition) if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition)
@ -119,12 +119,3 @@ function buildUrl (url: string, params: URLSearchParams) {
return url return url
} }
function generateParams (url: string) {
const params = new URLSearchParams(window.location.search)
// Unused parameters in embed
params.delete('videoId')
params.delete('resume')
return params
}