diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/services.ts | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/controllers/services.ts')
| -rw-r--r-- | server/controllers/services.ts | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/server/controllers/services.ts b/server/controllers/services.ts index cabcbc00b..7c7ca1ff3 100644 --- a/server/controllers/services.ts +++ b/server/controllers/services.ts | |||
| @@ -4,6 +4,7 @@ import { escapeHTML } from '@shared/core-utils/renderer' | |||
| 4 | import { EMBED_SIZE, PREVIEWS_SIZE, THUMBNAILS_SIZE, WEBSERVER } from '../initializers/constants' | 4 | import { EMBED_SIZE, PREVIEWS_SIZE, THUMBNAILS_SIZE, WEBSERVER } from '../initializers/constants' |
| 5 | import { asyncMiddleware, oembedValidator } from '../middlewares' | 5 | import { asyncMiddleware, oembedValidator } from '../middlewares' |
| 6 | import { accountNameWithHostGetValidator } from '../middlewares/validators' | 6 | import { accountNameWithHostGetValidator } from '../middlewares/validators' |
| 7 | import { forceNumber } from '@shared/core-utils' | ||
| 7 | 8 | ||
| 8 | const servicesRouter = express.Router() | 9 | const servicesRouter = express.Router() |
| 9 | 10 | ||
| @@ -108,8 +109,8 @@ function buildOEmbed (options: { | |||
| 108 | const { req, previewSize, previewPath, title, channel, embedPath } = options | 109 | const { req, previewSize, previewPath, title, channel, embedPath } = options |
| 109 | 110 | ||
| 110 | const webserverUrl = WEBSERVER.URL | 111 | const webserverUrl = WEBSERVER.URL |
| 111 | const maxHeight = parseInt(req.query.maxheight, 10) | 112 | const maxHeight = forceNumber(req.query.maxheight) |
| 112 | const maxWidth = parseInt(req.query.maxwidth, 10) | 113 | const maxWidth = forceNumber(req.query.maxwidth) |
| 113 | 114 | ||
| 114 | const embedUrl = webserverUrl + embedPath | 115 | const embedUrl = webserverUrl + embedPath |
| 115 | const embedTitle = escapeHTML(title) | 116 | const embedTitle = escapeHTML(title) |