ckeditor-youtube-plugin icon indicating copy to clipboard operation
ckeditor-youtube-plugin copied to clipboard

Published 20 hours ago verified publisher icon fonini

XSS when embeding youtube video

Open agabhane opened this issue 3 years ago • 5 comments

When we try to embed youtube video using below iframe syntax, javascript code gets executed.

<iframe width="560" height="315" src="https://www.youtube.com/embed/ADS742xsoTw" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen onmouseover=alert(document.domain)></iframe>

Steps to reproduce

  1. Click on youtube toolbar button
  2. Paste <iframe width="560" height="315" src="https://www.youtube.com/embed/ADS742xsoTw" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen onmouseover=alert(document.domain)></iframe> in embed code box
  3. Click ok
  4. Observe alert

Actual result Alert is shown with domain name

Expected result Pasted code should be sanitized and js should not be exeucted to display alert.

agabhane avatar Aug 04 '21 08:08 agabhane

Hi @fonini ,

Any ETA on fix for this issue?

agabhane avatar Feb 02 '22 04:02 agabhane

@agabhane At the moment, I do not have the time to work on this issue. Can you open a PR?

fonini avatar Feb 02 '22 14:02 fonini

Hi @fonini , is there any ETA for this fix ?

sushruts avatar Apr 12 '23 11:04 sushruts

Hi @sushruts, unfortunately, I have no time to look into this right now.

fonini avatar Apr 12 '23 12:04 fonini

Hi @fonini , I see there are no updates around this plugin. Do you have a any ETA for this issue?

sushrutsawarkar avatar Sep 12 '23 06:09 sushrutsawarkar