iv-org-mirror/invidious-copy-2023-06-08
1
0
Fork 0
mirror of https://gitea.invidious.io/iv-org/invidious-copy-2023-06-08.git synced 2024-08-15 00:53:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix XSS vulnerability in channel playlists

Browse source 
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
This commit is contained in:
Samantaz Fox 2021-12-19 20:11:50 +01:00
parent 2ac19eb8fc
commit ddb06b0cac
No known key found for this signature in database
GPG key ID: F42821059186176E
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/invidious/views/playlist.ecr
View file

@ -47,7 +47,7 @@
<%= translate(locale, "Switch Invidious Instance") %>
</a>
<% else %>
<a href="https://redirect.invidious.io<%= env.request.resource %>">
<a href="https://redirect.invidious.io/playlist?list=<%= playlist.id %>">
<%= translate(locale, "Switch Invidious Instance") %>
</a>
<% end %>