Merged
Conversation
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* chore(deps): lock file maintenance * test: fix failing tests * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Muhammad Anas <muhammad.anas@arbisoft.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
…rity] (#3699) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* fix: add explicit referrer policy on video embeds * style: linting fix * fix: watch now home video * style: prettier errors
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| if (youtubeVideoHtml) { | ||
| const tempDiv = document.createElement("div"); | ||
| tempDiv.innerHTML = youtubeVideoHtml; |
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, ensure that the value extracted from the data-href attribute is never interpreted as HTML unless it is first properly sanitized. Since the purpose is to extract an iframe's src attribute, there is no need to parse an HTML string at all—just store the URL directly as the value of data-href and use it.
Best fix:
- Change code to expect the actual video URL in
data-hrefinstead of an HTML string. - Remove the usage of
innerHTMLand DOM parsing. - Use the value of
data-hrefdirectly as the YouTube video source.
Files/lines to change:
- In
openVideoLightBox()in static/js/hero.js, lines 9–27:- Instead of parsing an HTML fragment, get the URL directly from
data-href. - Set
youtubeVideoSrctoyoutubeVideoHtml(now the URL directly). - Remove creation of
tempDiv,innerHTML, andquerySelector("iframe"). - Adjust code logic accordingly.
- Instead of parsing an HTML fragment, get the URL directly from
What is needed:
- Remove unsafe HTML interpretation entirely.
- No extra dependencies are needed.
Suggested changeset
1
static/js/hero.js
| @@ -6,25 +6,16 @@ | ||
| const promoVideoSel = "#promo-video"; | ||
|
|
||
| function openVideoLightBox() { | ||
| const youtubeVideoHtml = $("#tv-light-box-yt-video").attr("data-href"); | ||
| const youtubeVideoSrc = $("#tv-light-box-yt-video").attr("data-href"); | ||
| const hlsAboutVideoEl = $("video#tv-light-box-video"); | ||
| if (!youtubeVideoHtml && hlsAboutVideoEl.length === 0) { | ||
| if (!youtubeVideoSrc && hlsAboutVideoEl.length === 0) { | ||
| console.error("We do not have any supported video elements available."); // eslint-disable-line no-console | ||
| return; | ||
| } | ||
|
|
||
| let backgroundVideo = null; | ||
| let youtubeVideoSrc = null; | ||
|
|
||
| if (youtubeVideoHtml) { | ||
| const tempDiv = document.createElement("div"); | ||
| tempDiv.innerHTML = youtubeVideoHtml; | ||
| const iframe = tempDiv.querySelector("iframe"); | ||
| if (iframe) { | ||
| youtubeVideoSrc = | ||
| iframe.getAttribute("data-src") || iframe.getAttribute("src"); | ||
| } | ||
| } | ||
| // No HTML parsing needed: data-href should contain the direct video URL. | ||
|
|
||
| const fancyBoxArgs = $.extend( | ||
| {}, |
Copilot is powered by AI and may make mistakes. Always verify output.
odlbot
added
waiting for checkboxes
all checkboxes checked
and removed
deploying to rc
waiting for checkboxes
labels
odlbot
added
deploying to prod
deployed to prod
and removed
all checkboxes checked
deploying to prod
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Areeb Sajjad
renovate[bot]