From ddb06b0cac4c0b78e2e8e085791bce4c3a760625 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Sun, 19 Dec 2021 20:11:50 +0100 Subject: [PATCH] Fix XSS vulnerability in channel playlists The channel//playlists page was vulnerable to Cross Site Scripting (XSS), because the different URL parameters were inserted as-is in the URL meant for instance switching. This vulnerability could allow an attacker to inject malicious Javascript in the page by tricking the user to click on a crafted link. Bug introduced in commit 66e7285108363c3c3dcb814bdffb716c14e1724d ("Only use /redirect when automatically redirecting"). Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly reporting this issue! --- src/invidious/views/playlist.ecr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/invidious/views/playlist.ecr b/src/invidious/views/playlist.ecr index d0518de7..136981da 100644 --- a/src/invidious/views/playlist.ecr +++ b/src/invidious/views/playlist.ecr @@ -47,7 +47,7 @@ <%= translate(locale, "Switch Invidious Instance") %> <% else %> - + <%= translate(locale, "Switch Invidious Instance") %> <% end %>