Add embed youtube link for error_template_helper#5650
Add embed youtube link for error_template_helper#5650Fijxu wants to merge 2 commits intoiv-org:masterfrom
Conversation
| if video_id.presence | ||
| params.delete("v") | ||
| if params.present? | ||
| embed_link = "https://youtube.com/embed/#{video_id}?#{params}" |
There was a problem hiding this comment.
Watch out when passing URL parameters directly to youtube. They might contain tracking identifiers! That's why the other youtube link does not pass any.
There was a problem hiding this comment.
They might contain tracking identifiers! That's why the other youtube link does not pass any.
Right, but when watching videos in a playlist, it actually contains two parameters, list and index
invidious/src/invidious/views/watch.ecr
Lines 121 to 122 in 21d0d10
I'll whitelist them so we only pass those to youtube links
There was a problem hiding this comment.
You can use (and expand) src/invidious/yt_backend/url_sanitizer.cr
| else | ||
| embed_link = "https://youtube.com/embed/#{video_id}" | ||
| end | ||
| embed_html_element = "(<a rel=\"noopener\" referrerpolicy=\"origin-when-cross-origin\" href=\"#{embed_link}\">#{go_to_youtube_embed}</a>)" |
There was a problem hiding this comment.
If you ever pass URL parameters, make sure to HTML escape them, otherwise that creates an XSS vulnerability.
| if video_id.presence | ||
| params.delete("v") | ||
| if params.present? | ||
| embed_link = "https://youtube.com/embed/#{video_id}?#{params}" |
There was a problem hiding this comment.
If there's a t parameter, it would need to become start #5658
3 participants
Closes #5649
It also checks if the endpoint is
/watchand that thevquery parameter isn't empty before generating the embed URL ^^