ProjectSegfault/invidious-experimenting
4
0
Fork 0
forked from midou/invidious
Code Pull Requests Activity
Files
ddb06b0cac4c0b78e2e8e085791bce4c3a760625
invidious-experimenting/src/invidious/views
History
Samantaz Fox ddb06b0cac Fix XSS vulnerability in channel playlists 
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
2021-12-19 20:51:44 +01:00
..
components
Add other missing translations
2021-11-21 01:54:46 +01:00
feeds
Add other missing translations
2021-11-21 01:54:46 +01:00
add_playlist_items.ecr
Fix URL-encoding in href strings (#2460)
2021-10-11 05:18:20 -07:00
authorize_token.ecr
Multiple front-end fixes (#2247)
2021-07-15 23:01:36 +02:00
change_password.ecr
Update to Crystal 0.31.0, resolve compiler deprecation warnings, update dependencies (#764)
2019-09-24 13:31:33 -04:00
channel.ecr
Use env.request.resource for instance switch link
2021-10-26 16:12:25 -07:00
clear_watch_history.ecr
Update to Crystal 0.31.0, resolve compiler deprecation warnings, update dependencies (#764)
2019-09-24 13:31:33 -04:00
community.ecr
Use env.request.resource for instance switch link
2021-10-26 16:12:25 -07:00
create_playlist.ecr
Add support for custom playlists
2019-10-15 21:17:14 -04:00
data_control.ecr
Update link to instructions
2020-12-07 13:34:40 +01:00
delete_account.ecr
Update to Crystal 0.31.0, resolve compiler deprecation warnings, update dependencies (#764)
2019-09-24 13:31:33 -04:00
delete_playlist.ecr
Add support for custom playlists
2019-10-15 21:17:14 -04:00
edit_playlist.ecr
Multiple front-end fixes (#2247)
2021-07-15 23:01:36 +02:00
embed.ecr
Move themes into default.css
2020-11-17 22:53:45 +01:00
error.ecr
Add redirect buttons to error template
2021-06-19 04:16:18 -07:00
licenses.ecr
Change videojs-vr to the unminified version
2021-05-23 09:24:49 -07:00
login.ecr
Remove login type button from frontend (#2423)
2021-09-23 08:44:26 +02:00
message.ecr
Add popular-enabled option
2020-12-27 06:12:43 +01:00
mix.ecr
Multiple front-end fixes (#2247)
2021-07-15 23:01:36 +02:00
playlist.ecr
Fix XSS vulnerability in channel playlists
2021-12-19 20:51:44 +01:00
playlists.ecr
Use env.request.resource for instance switch link
2021-10-26 16:12:25 -07:00
preferences.ecr
Add missing translation for quality selectors
2021-11-21 01:50:11 +01:00
privacy.ecr
Update privacy policy
2019-09-24 20:47:49 -04:00
search_homepage.ecr
Multiple search fixes
2021-06-13 21:52:36 +02:00
search.ecr
Fix URL-encoding in href strings (#2460)
2021-10-11 05:18:20 -07:00
subscription_manager.ecr
Multiple front-end fixes (#2247)
2021-07-15 23:01:36 +02:00
template.ecr
i18n: pass only the ISO code string to 'translate()'
2021-11-21 01:50:11 +01:00
token_manager.ecr
Migrate to a good Content Security Policy (#1023)
2020-03-15 16:46:08 -05:00
watch.ecr
Add other missing translations
2021-11-21 01:54:46 +01:00