mirror of
https://github.com/iv-org/invidious.git
synced 2024-12-20 21:24:21 -05:00
Fix XSS vulnerability in channel playlists
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.
This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.
Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").
Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
This commit is contained in:
parent
2ac19eb8fc
commit
ddb06b0cac
@ -47,7 +47,7 @@
|
|||||||
<%= translate(locale, "Switch Invidious Instance") %>
|
<%= translate(locale, "Switch Invidious Instance") %>
|
||||||
</a>
|
</a>
|
||||||
<% else %>
|
<% else %>
|
||||||
<a href="https://redirect.invidious.io<%= env.request.resource %>">
|
<a href="https://redirect.invidious.io/playlist?list=<%= playlist.id %>">
|
||||||
<%= translate(locale, "Switch Invidious Instance") %>
|
<%= translate(locale, "Switch Invidious Instance") %>
|
||||||
</a>
|
</a>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
Loading…
Reference in New Issue
Block a user