From c2bd159acea6f0d662152af52e74a56427bd9fbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Sat, 30 Jan 2016 12:32:48 +0100
Subject: [PATCH] SECURITY: fix XSS in lazyYT plugin

---
 plugins/lazyYT/plugin.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugins/lazyYT/plugin.rb b/plugins/lazyYT/plugin.rb
index 4ba7bc42ed8..70475b73afa 100644
--- a/plugins/lazyYT/plugin.rb
+++ b/plugins/lazyYT/plugin.rb
@@ -22,7 +22,8 @@ class Onebox::Engine::YoutubeOnebox
       video_height = (params['height'] && params['height'].to_i <= 500) ? params['height'] : 270 # embed height
 
       # Put in the LazyYT div instead of the iframe
-      "<div class=\"lazyYT\" data-youtube-id=\"#{video_id}\" data-youtube-title=\"#{video_title}\" data-width=\"#{video_width}\" data-height=\"#{video_height}\" data-parameters=\"#{embed_params}\"></div>"
+      escaped_title = ERB::Util.html_escape(video_title)
+      "<div class=\"lazyYT\" data-youtube-id=\"#{video_id}\" data-youtube-title=\"#{escaped_title}\" data-width=\"#{video_width}\" data-height=\"#{video_height}\" data-parameters=\"#{embed_params}\"></div>"
     else
       yt_onebox_to_html
     end