mirror of
				https://gitea.invidious.io/iv-org/invidious.git
				synced 2024-08-15 00:53:41 +00:00 
			
		
		
		
	Fix XSS vulnerability in channel playlists
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.
This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.
Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").
Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
			
			
This commit is contained in:
		
							parent
							
								
									2ac19eb8fc
								
							
						
					
					
						commit
						ddb06b0cac
					
				
					 1 changed files with 1 additions and 1 deletions
				
			
		|  | @ -47,7 +47,7 @@ | |||
|                             <%= translate(locale, "Switch Invidious Instance") %> | ||||
|                         </a> | ||||
|                     <% else %> | ||||
|                         <a href="https://redirect.invidious.io<%= env.request.resource %>"> | ||||
|                         <a href="https://redirect.invidious.io/playlist?list=<%= playlist.id %>"> | ||||
|                             <%= translate(locale, "Switch Invidious Instance") %> | ||||
|                         </a> | ||||
|                     <% end %> | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue