1
0
Fork 0

Safer iframe creation

This commit is contained in:
Chocobozzz 2021-10-11 11:13:06 +02:00
parent 9b513232ac
commit bdb1dfc176
No known key found for this signature in database
GPG key ID: 583A612D890159BE
2 changed files with 10 additions and 19 deletions

View file

@ -1,4 +1,3 @@
import { escapeHTML } from '@shared/core-utils/renderer'
import { VideoFile } from '@shared/models'
function toTitleCase (str: string) {
@ -44,14 +43,15 @@ function isMobile () {
}
function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) {
const title = escapeHTML(embedTitle)
const iframe = document.createElement('iframe')
return '<iframe width="560" height="315" ' +
'sandbox="allow-same-origin allow-scripts allow-popups" ' +
'title="' + title + '" ' +
'src="' + embedUrl + '" ' +
'frameborder="0" allowfullscreen>' +
'</iframe>'
iframe.title = embedTitle
iframe.src = embedUrl
iframe.frameBorder = '0'
iframe.allowFullscreen = true
iframe.sandbox.add('allow-same-origin', 'allow-scripts', 'allow-popups')
return iframe.outerHTML
}
function videoFileMaxByResolution (files: VideoFile[]) {

View file

@ -53,7 +53,7 @@ function decorateVideoLink (options: {
}) {
const { url } = options
const params = generateParams(window.location.search)
const params = new URLSearchParams()
if (options.startTime !== undefined && options.startTime !== null) {
const startTimeInt = Math.floor(options.startTime)
@ -85,7 +85,7 @@ function decoratePlaylistLink (options: {
}) {
const { url } = options
const params = generateParams(window.location.search)
const params = new URLSearchParams()
if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition)
@ -119,12 +119,3 @@ function buildUrl (url: string, params: URLSearchParams) {
return url
}
function generateParams (url: string) {
const params = new URLSearchParams(window.location.search)
// Unused parameters in embed
params.delete('videoId')
params.delete('resume')
return params
}