Fix XSS hole in YouTube remarkup rule

Summary: The source wasn't properly escaped. Test Plan: Made a comment like "http://youtube.com/?v="></iframe><h1>!!!</h1>" Reviewed By: mroch Reviewers: tomo, mroch, tuomaspelkonen, aran, jungejason CC: aran, mroch Differential Revision: 516
2024-12-19 12:00:55 +01:00 · 2011-06-24 10:43:57 -07:00 · 2011-06-24 10:43:57 -07:00 · 4bfbd209b2
commit 4bfbd209b2
parent fe04d8bf70
2 changed files with 13 additions and 6 deletions
--- a/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php
+++ b/src/infrastructure/markup/remarkup/markuprule/youtube/PhabricatorRemarkupRuleYoutube.php
@ -38,12 +38,18 @@ class PhabricatorRemarkupRuleYoutube
    if ($v) {
      $youtube_src = 'https://www.youtube.com/embed/'.$v;
      $iframe =
-        '<div class="embedded-youtube-video">
-              <iframe width="650" height="400" '.
-        'style="margin: 1em auto; border: 0px" '.
-        'src="'.$youtube_src.'" '.
-        'frameborder="0"></iframe>
-            </div>';
+        '<div class="embedded-youtube-video">'.
+          phutil_render_tag(
+            'iframe',
+            array(
+              'width'       => '650',
+              'height'      => '400',
+              'style'       => 'margin: 1em auto; border: 0px;',
+              'src'         => $youtube_src,
+              'frameborder' => 0,
+            ),
+            '').
+        '</div>';
      return $this->getEngine()->storeText($iframe);
    } else {
      return $this->uri;
--- a/src/infrastructure/markup/remarkup/markuprule/youtube/init.php
+++ b/src/infrastructure/markup/remarkup/markuprule/youtube/init.php
@ -6,6 +6,7 @@



+phutil_require_module('phutil', 'markup');
 phutil_require_module('phutil', 'markup/engine/remarkup/markuprule/base');
 phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');