Mirrored_Repos/Piped
1
0
Fork 0
mirror of https://github.com/TeamPiped/Piped.git synced 2025-08-09 20:24:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix severe vulnerability in case of a malicious Piped/YouTube server.

Browse Source
This commit is contained in:
FireMasterK
2021-06-07 00:42:03 +05:30
parent 20ddaab9e3
commit acf81f386f
5 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/components/Channel.vue
View File

@@ -4,7 +4,7 @@
<div v-if="channel" v-show="!channel.error">
<h1 class="uk-text-center"><img height="48" width="48" v-bind:src="channel.avatarUrl" />{{ channel.name }}</h1>
<img v-if="channel.bannerUrl" v-bind:src="channel.bannerUrl" style="width: 100%" loading="lazy" />
<p v-html="this.channel.description" style="white-space: pre"></p>
<p v-html="purifyHTML(this.channel.description)" style="white-space: pre"></p>
<hr />

12
src/components/WatchVideo.vue
View File

@@ -1,6 +1,6 @@
<template>
<div class="uk-container uk-container-xlarge">
<ErrorHandler v-if="video.error" :message="video.message" :error="video.error" />
<ErrorHandler v-if="video && video.error" :message="video.message" :error="video.error" />
<div v-show="!video.error">
<Player ref="videoPlayer" :video="video" :sponsors="sponsors" :selectedAutoPlay="selectedAutoPlay" />
@@ -169,10 +169,12 @@ export default {
if (!this.video.error) {
document.title = this.video.title + " - Piped";
this.video.description = this.video.description
.replaceAll("http://www.youtube.com", "")
.replaceAll("https://www.youtube.com", "")
.replaceAll("\n", "<br>");
this.video.description = this.purifyHTML(
this.video.description
.replaceAll("http://www.youtube.com", "")
.replaceAll("https://www.youtube.com", "")
.replaceAll("\n", "<br>"),
);
this.$refs.videoPlayer.loadVideo();
}