Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflected xss vis src parameter #5606

Closed
5 tasks done
JesseClarkND opened this issue Jun 28, 2023 · 2 comments · Fixed by anime-vsub/app#107, anime-vsub/app#108 or Tisankan/bemusic-spotify_clone#22 · May be fixed by anime-vsub/app#109
Closed
5 tasks done

Reflected xss vis src parameter #5606

JesseClarkND opened this issue Jun 28, 2023 · 2 comments · Fixed by anime-vsub/app#107, anime-vsub/app#108 or Tisankan/bemusic-spotify_clone#22 · May be fixed by anime-vsub/app#109
Labels
Bug Confirmed Demo good-first-issue Something that would be great to work on as an introduction to the code-base. security Pull requests that address a security vulnerability

Comments

@JesseClarkND
Copy link

What version of Hls.js are you using?

1.4.7

What browser (including version) are you using?

Firefox 114.0.1

What OS (including version) are you using?

Windows 10

Test stream

Configuration

{}

Additional player setup steps

No response

Checklist

Steps to reproduce

  1. Merely visit Merely visit
    https://hlsjs.video-dev.org/demo/?src=%22%27%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(1)%3Ejavascript%3Aalert(1)

Expected behaviour

src to be properly parsed before being inserted into HTML

What actually happened?

HTML directly inserted into DOM

Console output

-

Chrome media internals output

No response
@JesseClarkND JesseClarkND added Bug Needs Triage If there is a suspected stream issue, apply this label to triage if it is something we should fix. labels Jun 28, 2023
@robwalch robwalch added Confirmed good-first-issue Something that would be great to work on as an introduction to the code-base. security Pull requests that address a security vulnerability Demo and removed Needs Triage If there is a suspected stream issue, apply this label to triage if it is something we should fix. labels Jun 28, 2023
@robwalch
Copy link
Collaborator

Hi @JesseClarkND,

Would you be willing to submit a PR that checks the input for and deals with XSS tags? See https://github.com/video-dev/hls.js/blob/master/demo/main.js#L20

@robwalch
Copy link
Collaborator

robwalch commented Jul 3, 2024

Resolved by #6538 in v1.5.13

@robwalch robwalch closed this as completed Jul 3, 2024
This was referenced Aug 6, 2024
Merged
Merged
@tachibana-shin tachibana-shin mentioned this issue Aug 22, 2024
Open
@Tisankan Tisankan mentioned this issue Sep 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Confirmed Demo good-first-issue Something that would be great to work on as an introduction to the code-base. security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
2 participants
@robwalch @JesseClarkND