SECURITY: fix XSS in lazyYT plugin

2024-11-23 09:26:54 -06:00 · 2016-01-30 12:32:48 +01:00 · 2016-01-30 12:32:48 +01:00 · c2bd159ace
commit c2bd159ace
parent 161170aabe
1 changed files with 2 additions and 1 deletions
--- a/plugins/lazyYT/plugin.rb
+++ b/plugins/lazyYT/plugin.rb
@ -22,7 +22,8 @@ class Onebox::Engine::YoutubeOnebox
      video_height = (params['height'] && params['height'].to_i <= 500) ? params['height'] : 270 # embed height

      # Put in the LazyYT div instead of the iframe
-      "<div class=\"lazyYT\" data-youtube-id=\"#{video_id}\" data-youtube-title=\"#{video_title}\" data-width=\"#{video_width}\" data-height=\"#{video_height}\" data-parameters=\"#{embed_params}\"></div>"
+      escaped_title = ERB::Util.html_escape(video_title)
+      "<div class=\"lazyYT\" data-youtube-id=\"#{video_id}\" data-youtube-title=\"#{escaped_title}\" data-width=\"#{video_width}\" data-height=\"#{video_height}\" data-parameters=\"#{embed_params}\"></div>"
    else
      yt_onebox_to_html
    end