aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers/services.ts
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/services.ts
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/controllers/services.ts')
-rw-r--r--server/controllers/services.ts5
1 files changed, 3 insertions, 2 deletions
diff --git a/server/controllers/services.ts b/server/controllers/services.ts
index cabcbc00b..7c7ca1ff3 100644
--- a/server/controllers/services.ts
+++ b/server/controllers/services.ts
@@ -4,6 +4,7 @@ import { escapeHTML } from '@shared/core-utils/renderer'
4import { EMBED_SIZE, PREVIEWS_SIZE, THUMBNAILS_SIZE, WEBSERVER } from '../initializers/constants' 4import { EMBED_SIZE, PREVIEWS_SIZE, THUMBNAILS_SIZE, WEBSERVER } from '../initializers/constants'
5import { asyncMiddleware, oembedValidator } from '../middlewares' 5import { asyncMiddleware, oembedValidator } from '../middlewares'
6import { accountNameWithHostGetValidator } from '../middlewares/validators' 6import { accountNameWithHostGetValidator } from '../middlewares/validators'
7import { forceNumber } from '@shared/core-utils'
7 8
8const servicesRouter = express.Router() 9const servicesRouter = express.Router()
9 10
@@ -108,8 +109,8 @@ function buildOEmbed (options: {
108 const { req, previewSize, previewPath, title, channel, embedPath } = options 109 const { req, previewSize, previewPath, title, channel, embedPath } = options
109 110
110 const webserverUrl = WEBSERVER.URL 111 const webserverUrl = WEBSERVER.URL
111 const maxHeight = parseInt(req.query.maxheight, 10) 112 const maxHeight = forceNumber(req.query.maxheight)
112 const maxWidth = parseInt(req.query.maxwidth, 10) 113 const maxWidth = forceNumber(req.query.maxwidth)
113 114
114 const embedUrl = webserverUrl + embedPath 115 const embedUrl = webserverUrl + embedPath
115 const embedTitle = escapeHTML(title) 116 const embedTitle = escapeHTML(title)