Fix severe vulnerability in case of a malicious Piped/YouTube server.

2025-12-13 19:48:17 +00:00 · 2021-06-07 00:42:03 +05:30
parent 20ddaab9e3
commit acf81f386f
5 changed files with 19 additions and 6 deletions
--- a/src/components/WatchVideo.vue
+++ b/src/components/WatchVideo.vue
@@ -1,6 +1,6 @@
 <template>
    <div class="uk-container uk-container-xlarge">
-        <ErrorHandler v-if="video.error" :message="video.message" :error="video.error" />
+        <ErrorHandler v-if="video && video.error" :message="video.message" :error="video.error" />

        <div v-show="!video.error">
            <Player ref="videoPlayer" :video="video" :sponsors="sponsors" :selectedAutoPlay="selectedAutoPlay" />
@@ -169,10 +169,12 @@ export default {
                    if (!this.video.error) {
                        document.title = this.video.title + " - Piped";

-                        this.video.description = this.video.description
-                            .replaceAll("http://www.youtube.com", "")
-                            .replaceAll("https://www.youtube.com", "")
-                            .replaceAll("\n", "<br>");
+                        this.video.description = this.purifyHTML(
+                            this.video.description
+                                .replaceAll("http://www.youtube.com", "")
+                                .replaceAll("https://www.youtube.com", "")
+                                .replaceAll("\n", "<br>"),
+                        );

                        this.$refs.videoPlayer.loadVideo();
                    }