Skip to content

Commit 6f47a30

Browse files
committed
security: add client-side input validation to youtube HTML pages
Add a defense-in-depth validation layer to both public/youtube.html and public/youtube_meta.html. Previously, parameters read from the URL hash were passed directly to the YouTube IFrame API without any client-side checks, relying solely on the upstream Lua layer for sanitization.
1 parent b3c9969 commit 6f47a30

2 files changed

Lines changed: 10 additions & 3 deletions

File tree

public/youtube.html

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,8 +75,12 @@
7575
};
7676

7777
function onYouTubeIframeAPIReady() {
78-
const vid = getParameter('v') || 'dQw4w9WgXcQ';
79-
const startTime = parseFloat(getParameter('t')) || 0;
78+
const rawVid = getParameter('v');
79+
const vid = (rawVid && /^[a-zA-Z0-9_-]{11}$/.test(rawVid))
80+
? rawVid
81+
: 'dQw4w9WgXcQ';
82+
83+
const startTime = Math.max(0, parseFloat(getParameter('t')) || 0);
8084

8185
createPlayer(vid, startTime);
8286
}

public/youtube_meta.html

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,10 @@
7474
};
7575

7676
function onYouTubeIframeAPIReady() {
77-
const vid = getParameter('v') || 'dQw4w9WgXcQ';
77+
const rawVid = getParameter('v');
78+
const vid = (rawVid && /^[a-zA-Z0-9_-]{11}$/.test(rawVid))
79+
? rawVid
80+
: 'dQw4w9WgXcQ';
7881

7982
createPlayer(vid);
8083
}

0 commit comments

Comments
 (0)