From ddb06b0cac4c0b78e2e8e085791bce4c3a760625 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Sun, 19 Dec 2021 20:11:50 +0100
Subject: [PATCH] Fix XSS vulnerability in channel playlists

The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108363c3c3dcb814bdffb716c14e1724d
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
---
 src/invidious/views/playlist.ecr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious/views/playlist.ecr b/src/invidious/views/playlist.ecr
index d0518de7..136981da 100644
--- a/src/invidious/views/playlist.ecr
+++ b/src/invidious/views/playlist.ecr
@@ -47,7 +47,7 @@
                             <%= translate(locale, "Switch Invidious Instance") %>
                         </a>
                     <% else %>
-                        <a href="https://redirect.invidious.io<%= env.request.resource %>">
+                        <a href="https://redirect.invidious.io/playlist?list=<%= playlist.id %>">
                             <%= translate(locale, "Switch Invidious Instance") %>
                         </a>
                     <% end %>