yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-04 18:29:27 +02:00
Code Issues Releases Wiki Activity

Don't inject untrusted input

Browse source 
Even if it's already checked in middlewares
It's better to have safe modals too
This commit is contained in:
Chocobozzz 2022-11-15 14:41:55 +01:00
parent 6bcb559fc9
commit 4638cd713d
No known key found for this signature in database
GPG key ID: 583A612D890159BE
35 changed files with 101 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

5
server/controllers/services.ts
View file

@ -4,6 +4,7 @@ import { escapeHTML } from '@shared/core-utils/renderer'
import { EMBED_SIZE, PREVIEWS_SIZE, THUMBNAILS_SIZE, WEBSERVER } from '../initializers/constants'
import { asyncMiddleware, oembedValidator } from '../middlewares'
import { accountNameWithHostGetValidator } from '../middlewares/validators'
import { forceNumber } from '@shared/core-utils'
const servicesRouter = express.Router()
@ -108,8 +109,8 @@ function buildOEmbed (options: {
const { req, previewSize, previewPath, title, channel, embedPath } = options
const webserverUrl = WEBSERVER.URL
const maxHeight = parseInt(req.query.maxheight, 10)
const maxWidth = parseInt(req.query.maxwidth, 10)
const maxHeight = forceNumber(req.query.maxheight)
const maxWidth = forceNumber(req.query.maxwidth)
const embedUrl = webserverUrl + embedPath
const embedTitle = escapeHTML(title)