mirror of
https://github.com/iv-org/invidious.git
synced 2024-10-01 01:25:56 -04:00
videos: Fix XSS vulnerability in description/comments
Patch provided by e-mail, thanks to an anonymous user whose cats are named Yoshi and Yasuo. Comment is mine
This commit is contained in:
parent
e319c35f09
commit
0b28054f8a
@ -36,7 +36,13 @@ def parse_description(desc, video_id : String) : String?
|
|||||||
return "" if content.empty?
|
return "" if content.empty?
|
||||||
|
|
||||||
commands = desc["commandRuns"]?.try &.as_a
|
commands = desc["commandRuns"]?.try &.as_a
|
||||||
return content if commands.nil?
|
if commands.nil?
|
||||||
|
# Slightly faster than HTML.escape, as we're only doing one pass on
|
||||||
|
# the string instead of five for the standard library
|
||||||
|
return String.build do |str|
|
||||||
|
copy_string(str, content.each_codepoint, content.size)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
# Not everything is stored in UTF-8 on youtube's side. The SMP codepoints
|
# Not everything is stored in UTF-8 on youtube's side. The SMP codepoints
|
||||||
# (0x10000 and above) are encoded as UTF-16 surrogate pairs, which are
|
# (0x10000 and above) are encoded as UTF-16 surrogate pairs, which are
|
||||||
|
Loading…
Reference in New Issue
Block a user