aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2021-10-11 11:13:06 +0200
committerChocobozzz <me@florianbigard.com>2021-10-11 11:13:27 +0200
commitbdb1dfc17653ca327c2656922a651762fd222a24 (patch)
treefbc175cab61f6147dabeccaee889c00da48c2a17
parent9b513232ac916e963a3ad85a0cef777638143b70 (diff)
downloadPeerTube-bdb1dfc17653ca327c2656922a651762fd222a24.tar.gz
PeerTube-bdb1dfc17653ca327c2656922a651762fd222a24.tar.zst
PeerTube-bdb1dfc17653ca327c2656922a651762fd222a24.zip
Safer iframe creation
-rw-r--r--client/src/assets/player/utils.ts18
-rw-r--r--shared/core-utils/common/url.ts13
2 files changed, 11 insertions, 20 deletions
diff --git a/client/src/assets/player/utils.ts b/client/src/assets/player/utils.ts
index f2e9adb14..cbca1065f 100644
--- a/client/src/assets/player/utils.ts
+++ b/client/src/assets/player/utils.ts
@@ -1,4 +1,3 @@
1import { escapeHTML } from '@shared/core-utils/renderer'
2import { VideoFile } from '@shared/models' 1import { VideoFile } from '@shared/models'
3 2
4function toTitleCase (str: string) { 3function toTitleCase (str: string) {
@@ -44,14 +43,15 @@ function isMobile () {
44} 43}
45 44
46function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) { 45function buildVideoOrPlaylistEmbed (embedUrl: string, embedTitle: string) {
47 const title = escapeHTML(embedTitle) 46 const iframe = document.createElement('iframe')
48 47
49 return '<iframe width="560" height="315" ' + 48 iframe.title = embedTitle
50 'sandbox="allow-same-origin allow-scripts allow-popups" ' + 49 iframe.src = embedUrl
51 'title="' + title + '" ' + 50 iframe.frameBorder = '0'
52 'src="' + embedUrl + '" ' + 51 iframe.allowFullscreen = true
53 'frameborder="0" allowfullscreen>' + 52 iframe.sandbox.add('allow-same-origin', 'allow-scripts', 'allow-popups')
54 '</iframe>' 53
54 return iframe.outerHTML
55} 55}
56 56
57function videoFileMaxByResolution (files: VideoFile[]) { 57function videoFileMaxByResolution (files: VideoFile[]) {
diff --git a/shared/core-utils/common/url.ts b/shared/core-utils/common/url.ts
index 52ed247c4..9c111cbcc 100644
--- a/shared/core-utils/common/url.ts
+++ b/shared/core-utils/common/url.ts
@@ -53,7 +53,7 @@ function decorateVideoLink (options: {
53}) { 53}) {
54 const { url } = options 54 const { url } = options
55 55
56 const params = generateParams(window.location.search) 56 const params = new URLSearchParams()
57 57
58 if (options.startTime !== undefined && options.startTime !== null) { 58 if (options.startTime !== undefined && options.startTime !== null) {
59 const startTimeInt = Math.floor(options.startTime) 59 const startTimeInt = Math.floor(options.startTime)
@@ -85,7 +85,7 @@ function decoratePlaylistLink (options: {
85}) { 85}) {
86 const { url } = options 86 const { url } = options
87 87
88 const params = generateParams(window.location.search) 88 const params = new URLSearchParams()
89 89
90 if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition) 90 if (options.playlistPosition) params.set('playlistPosition', '' + options.playlistPosition)
91 91
@@ -119,12 +119,3 @@ function buildUrl (url: string, params: URLSearchParams) {
119 119
120 return url 120 return url
121} 121}
122
123function generateParams (url: string) {
124 const params = new URLSearchParams(window.location.search)
125 // Unused parameters in embed
126 params.delete('videoId')
127 params.delete('resume')
128
129 return params
130}