Fix severe vulnerability in case of a malicious Piped/YouTube server.

2024-08-14 23:57:27 +00:00 · 2021-06-07 00:42:03 +05:30 · 2021-06-07 00:42:03 +05:30 · acf81f386f
commit acf81f386f
parent 20ddaab9e3
5 changed files with 19 additions and 6 deletions
--- a/src/components/Channel.vue
+++ b/src/components/Channel.vue
@ -4,7 +4,7 @@
    <div v-if="channel" v-show="!channel.error">
        <h1 class="uk-text-center"><img height="48" width="48" v-bind:src="channel.avatarUrl" />{{ channel.name }}</h1>
        <img v-if="channel.bannerUrl" v-bind:src="channel.bannerUrl" style="width: 100%" loading="lazy" />
-        <p v-html="this.channel.description" style="white-space: pre"></p>
+        <p v-html="purifyHTML(this.channel.description)" style="white-space: pre"></p>

        <hr />

--- a/src/components/WatchVideo.vue
+++ b/src/components/WatchVideo.vue
@ -1,6 +1,6 @@
 <template>
    <div class="uk-container uk-container-xlarge">
-        <ErrorHandler v-if="video.error" :message="video.message" :error="video.error" />
+        <ErrorHandler v-if="video && video.error" :message="video.message" :error="video.error" />

        <div v-show="!video.error">
            <Player ref="videoPlayer" :video="video" :sponsors="sponsors" :selectedAutoPlay="selectedAutoPlay" />
@ -169,10 +169,12 @@ export default {
                    if (!this.video.error) {
                        document.title = this.video.title + " - Piped";

-                        this.video.description = this.video.description
-                            .replaceAll("http://www.youtube.com", "")
-                            .replaceAll("https://www.youtube.com", "")
-                            .replaceAll("\n", "<br>");
+                        this.video.description = this.purifyHTML(
+                            this.video.description
+                                .replaceAll("http://www.youtube.com", "")
+                                .replaceAll("https://www.youtube.com", "")
+                                .replaceAll("\n", "<br>"),
+                        );

                        this.$refs.videoPlayer.loadVideo();
                    }
--- a/src/main.js
+++ b/src/main.js
@ -11,6 +11,8 @@ import("uikit/dist/js/uikit-core.min");
 import router from "@/router/router";
 import App from "./App.vue";

+import DOMPurify from 'dompurify';
+
 import("./registerServiceWorker");

 const mixin = {
@ -58,6 +60,9 @@ const mixin = {
                return response.json();
            });
        },
+        purifyHTML(original) {
+            return DOMPurify.sanitize(original);
+        }
    },
 };