XSS when embeding youtube video #98
Comments
|
Hi @fonini , Any ETA on fix for this issue? |
|
@agabhane At the moment, I do not have the time to work on this issue. Can you open a PR? |
|
Hi @fonini , is there any ETA for this fix ? |
|
Hi @sushruts, unfortunately, I have no time to look into this right now. |
|
Hi @fonini , I see there are no updates around this plugin. Do you have a any ETA for this issue? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we try to embed youtube video using below iframe syntax, javascript code gets executed.
<iframe width="560" height="315" src="https://www.youtube.com/embed/ADS742xsoTw" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen onmouseover=alert(document.domain)></iframe>Steps to reproduce
<iframe width="560" height="315" src="https://www.youtube.com/embed/ADS742xsoTw" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen onmouseover=alert(document.domain)></iframe>in embed code boxActual result
Alert is shown with domain name
Expected result
Pasted code should be sanitized and js should not be exeucted to display alert.
The text was updated successfully, but these errors were encountered: