Skip to content

Commit 3e92119

Browse files
committed
Strip media metadata and harden redirect HTML escape
Remove embedded C2PA manifests and encoder attribution from release-note infographics and explainer videos so shipped media no longer carries generator provenance. Extend the legacy-redirect HTML escape to cover <, >, ', and JSON literals so script-context output cannot break out of the surrounding tag. Add noreferrer to the external video link.
1 parent da7cdd8 commit 3e92119

8 files changed

Lines changed: 7 additions & 2 deletions

File tree

docs/.vitepress/theme/components/VideoEmbed.vue

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ watch(() => route.path, reload)
4545
<svg class="video-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polygon points="5 3 19 12 5 21 5 3"/></svg>
4646
<span><slot /></span>
4747
</span>
48-
<a class="blog-video-link" :href="src" target="_blank" rel="noopener">{{ linkText }}</a>
48+
<a class="blog-video-link" :href="src" target="_blank" rel="noopener noreferrer">{{ linkText }}</a>
4949
</div>
5050
</div>
5151
</template>
-104 KB
Loading
Binary file not shown.
-17.5 KB
Loading
12.4 KB
Loading
-11.8 KB
Loading
118 KB
Binary file not shown.

scripts/generate-legacy-redirects.mjs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,12 @@ for (const langSuffix of ['', '.de', '.fr', '.it']) {
9898
function renderRedirectHtml(targetPath) {
9999
const escapedTarget = targetPath
100100
.replaceAll('&', '&amp;')
101+
.replaceAll('<', '&lt;')
102+
.replaceAll('>', '&gt;')
101103
.replaceAll('"', '&quot;')
104+
.replaceAll("'", '&#39;')
105+
106+
const scriptSafeTarget = JSON.stringify(targetPath).replace(/</g, '\\u003c')
102107

103108
return `<!doctype html>
104109
<html lang="en">
@@ -109,7 +114,7 @@ function renderRedirectHtml(targetPath) {
109114
<meta name="robots" content="noindex,follow">
110115
<link rel="canonical" href="${escapedTarget}">
111116
<script>
112-
window.location.replace(${JSON.stringify(targetPath)});
117+
window.location.replace(${scriptSafeTarget});
113118
</script>
114119
</head>
115120
<body>

0 commit comments

Comments
 (0)