Fix XSS vulnerability in channel playlists

The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting (XSS), because the different URL parameters were inserted as-is in the URL meant for instance switching. This vulnerability could allow an attacker to inject malicious Javascript in the page by tricking the user to click on a crafted link. Bug introduced in commit 66e7285108 ("Only use /redirect when automatically redirecting"). Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly reporting this issue!
3 years ago · ddb06b0cac
parent 2ac19eb8fc
commit ddb06b0cac
1 changed files with 1 additions and 1 deletions
--- a/src/invidious/views/playlist.ecr
+++ b/src/invidious/views/playlist.ecr
@ -47,7 +47,7 @@
                            <%= translate(locale, "Switch Invidious Instance") %>
                        </a>
                    <% else %>
-                        <a href="https://redirect.invidious.io<%= env.request.resource %>">
+                        <a href="https://redirect.invidious.io/playlist?list=<%= playlist.id %>">
                            <%= translate(locale, "Switch Invidious Instance") %>
                        </a>
                    <% end %>