From 0b28054f8ac4066d5f2966a75a92eb935247d737 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Thu, 15 Aug 2024 18:26:17 +0200 Subject: [PATCH] videos: Fix XSS vulnerability in description/comments Patch provided by e-mail, thanks to an anonymous user whose cats are named Yoshi and Yasuo. Comment is mine --- src/invidious/videos/description.cr | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/invidious/videos/description.cr b/src/invidious/videos/description.cr index c7191dec..1371bebb 100644 --- a/src/invidious/videos/description.cr +++ b/src/invidious/videos/description.cr @@ -36,7 +36,13 @@ def parse_description(desc, video_id : String) : String? return "" if content.empty? commands = desc["commandRuns"]?.try &.as_a - return content if commands.nil? + if commands.nil? + # Slightly faster than HTML.escape, as we're only doing one pass on + # the string instead of five for the standard library + return String.build do |str| + copy_string(str, content.each_codepoint, content.size) + end + end # Not everything is stored in UTF-8 on youtube's side. The SMP codepoints # (0x10000 and above) are encoded as UTF-16 surrogate pairs, which are