ProjectSegfault/invidious-experimenting
4
0
Fork 0
forked from midou/invidious
Code Pull Requests Activity
ddb06b0cac
invidious-experimenting/src/invidious/views
History
Samantaz Fox ddb06b0cac
Fix XSS vulnerability in channel playlists 
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
2021-12-19 20:51:44 +01:00
..
components Add other missing translations 2021-11-21 01:54:46 +01:00
feeds Add other missing translations 2021-11-21 01:54:46 +01:00
add_playlist_items.ecr Fix URL-encoding in href strings (#2460) 2021-10-11 05:18:20 -07:00
authorize_token.ecr Multiple front-end fixes (#2247) 2021-07-15 23:01:36 +02:00
change_password.ecr
channel.ecr Use env.request.resource for instance switch link 2021-10-26 16:12:25 -07:00
clear_watch_history.ecr
community.ecr Use env.request.resource for instance switch link 2021-10-26 16:12:25 -07:00
create_playlist.ecr
data_control.ecr Update link to instructions 2020-12-07 13:34:40 +01:00
delete_account.ecr
delete_playlist.ecr
edit_playlist.ecr Multiple front-end fixes (#2247) 2021-07-15 23:01:36 +02:00
embed.ecr Move themes into default.css 2020-11-17 22:53:45 +01:00
error.ecr Add redirect buttons to error template 2021-06-19 04:16:18 -07:00
licenses.ecr Change videojs-vr to the unminified version 2021-05-23 09:24:49 -07:00
login.ecr Remove login type button from frontend (#2423) 2021-09-23 08:44:26 +02:00
message.ecr Add popular-enabled option 2020-12-27 06:12:43 +01:00
mix.ecr Multiple front-end fixes (#2247) 2021-07-15 23:01:36 +02:00
playlist.ecr Fix XSS vulnerability in channel playlists 2021-12-19 20:51:44 +01:00
playlists.ecr Use env.request.resource for instance switch link 2021-10-26 16:12:25 -07:00
preferences.ecr Add missing translation for quality selectors 2021-11-21 01:50:11 +01:00
privacy.ecr
search_homepage.ecr Multiple search fixes 2021-06-13 21:52:36 +02:00
search.ecr Fix URL-encoding in href strings (#2460) 2021-10-11 05:18:20 -07:00
subscription_manager.ecr Multiple front-end fixes (#2247) 2021-07-15 23:01:36 +02:00
template.ecr i18n: pass only the ISO code string to 'translate()' 2021-11-21 01:50:11 +01:00
token_manager.ecr Migrate to a good Content Security Policy (#1023) 2020-03-15 16:46:08 -05:00
watch.ecr Add other missing translations 2021-11-21 01:54:46 +01:00