From 9b995d6dec2873d5bf3627647b7cef93a2caa289 Mon Sep 17 00:00:00 2001
From: ChunkyProgrammer <78101139+ChunkyProgrammer@users.noreply.github.com>
Date: Tue, 20 Aug 2024 19:55:22 -0400
Subject: [PATCH] encode parameters retrieved from url

---
 src/invidious/routes/api/v1/channels.cr | 12 ++++++------
 src/invidious/routes/api/v1/videos.cr   |  2 +-
 src/invidious/routes/channels.cr        |  6 +++---
 src/invidious/routes/watch.cr           |  6 +++---
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/invidious/routes/api/v1/channels.cr b/src/invidious/routes/api/v1/channels.cr
index cb0f7dc68..e7a0a132b 100644
--- a/src/invidious/routes/api/v1/channels.cr
+++ b/src/invidious/routes/api/v1/channels.cr
@@ -395,7 +395,7 @@ module Invidious::Routes::API::V1::Channels
     locale = env.get("preferences").as(Preferences).locale
 
     env.response.content_type = "application/json"
-    id = env.params.url["id"].to_s
+    id = URI.encode_www_form(env.params.url["id"].to_s)
     ucid = env.params.query["ucid"]?
 
     thin_mode = env.params.query["thin_mode"]?
@@ -407,9 +407,9 @@ module Invidious::Routes::API::V1::Channels
     if ucid.nil?
       response = YoutubeAPI.resolve_url("https://www.youtube.com/post/#{id}")
       return error_json(400, "Invalid post ID") if response["error"]?
-      ucid = response.dig("endpoint", "browseEndpoint", "browseId").as_s
+      ucid = URI.encode_www_form(response.dig("endpoint", "browseEndpoint", "browseId").as_s)
     else
-      ucid = ucid.to_s
+      ucid = URI.encode_www_form(ucid.to_s)
     end
 
     begin
@@ -424,7 +424,7 @@ module Invidious::Routes::API::V1::Channels
 
     env.response.content_type = "application/json"
 
-    id = env.params.url["id"]
+    id = URI.encode_www_form(env.params.url["id"])
 
     thin_mode = env.params.query["thin_mode"]?
     thin_mode = thin_mode == "true"
@@ -438,9 +438,9 @@ module Invidious::Routes::API::V1::Channels
     if ucid.nil?
       response = YoutubeAPI.resolve_url("https://www.youtube.com/post/#{id}")
       return error_json(400, "Invalid post ID") if response["error"]?
-      ucid = response.dig("endpoint", "browseEndpoint", "browseId").as_s
+      ucid = URI.encode_www_form(response.dig("endpoint", "browseEndpoint", "browseId").as_s)
     else
-      ucid = ucid.to_s
+      ucid = URI.encode_www_form(ucid.to_s)
     end
 
     case continuation
diff --git a/src/invidious/routes/api/v1/videos.cr b/src/invidious/routes/api/v1/videos.cr
index 368304ac2..19fa7aebd 100644
--- a/src/invidious/routes/api/v1/videos.cr
+++ b/src/invidious/routes/api/v1/videos.cr
@@ -392,7 +392,7 @@ module Invidious::Routes::API::V1::Videos
 
     env.response.content_type = "application/json"
 
-    clip_id = env.params.url["id"]
+    clip_id = URI.encode_www_form(env.params.url["id"])
     region = env.params.query["region"]?
     proxy = {"1", "true"}.any? &.== env.params.query["local"]?
 
diff --git a/src/invidious/routes/channels.cr b/src/invidious/routes/channels.cr
index f3e4abd6a..b6d9aaac6 100644
--- a/src/invidious/routes/channels.cr
+++ b/src/invidious/routes/channels.cr
@@ -239,7 +239,7 @@ module Invidious::Routes::Channels
 
   def self.post(env)
     # /post/{postId}
-    id = env.params.url["id"]
+    id = URI.encode_www_form(env.params.url["id"])
     ucid = env.params.query["ucid"]?
 
     prefs = env.get("preferences").as(Preferences)
@@ -255,14 +255,14 @@ module Invidious::Routes::Channels
     nojs = nojs == "1"
 
     if !ucid.nil?
-      ucid = ucid.to_s
+      ucid = URI.encode_www_form(ucid.to_s)
       post_response = fetch_channel_community_post(ucid, id, locale, "json", thin_mode)
     else
       # resolve the url to get the author's UCID
       response = YoutubeAPI.resolve_url("https://www.youtube.com/post/#{id}")
       return error_template(400, "Invalid post ID") if response["error"]?
 
-      ucid = response.dig("endpoint", "browseEndpoint", "browseId").as_s
+      ucid = URI.encode_www_form(response.dig("endpoint", "browseEndpoint", "browseId").as_s)
       post_response = fetch_channel_community_post(ucid, id, locale, "json", thin_mode)
     end
 
diff --git a/src/invidious/routes/watch.cr b/src/invidious/routes/watch.cr
index ad64f53f5..ef4a7b23d 100644
--- a/src/invidious/routes/watch.cr
+++ b/src/invidious/routes/watch.cr
@@ -338,7 +338,7 @@ module Invidious::Routes::Watch
     locale = env.get("preferences").as(Preferences).locale
     region = env.params.query["region"]?
 
-    id = env.params.query["id"]
+    id = URI.encode_www_form(env.params.query["id"])
     continuation = env.params.query["continuation"]?
 
     source = env.params.query["source"]? || "youtube"
@@ -356,9 +356,9 @@ module Invidious::Routes::Watch
       if ucid.nil?
         response = YoutubeAPI.resolve_url("https://www.youtube.com/post/#{id}")
         return error_json(400, "Invalid post ID") if response["error"]?
-        ucid = response.dig("endpoint", "browseEndpoint", "browseId").as_s
+        ucid = URI.encode_www_form(response.dig("endpoint", "browseEndpoint", "browseId").as_s)
       else
-        ucid = ucid.to_s
+        ucid = URI.encode_www_form(ucid.to_s)
       end
       case continuation
       when nil, ""