Skip to content

Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
neatudarius wants to merge 1 commit into from
Closed

Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization #157

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions src/components/youtube-transformer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,28 @@
const YouTubeTransformer = {

Check failure on line 1 in src/components/youtube-transformer.js

View workflow job for this annotation

GitHub Actions / Trunk Check

prettier 

Incorrect formatting, autoformat by running 'trunk fmt'
name: "YouTube",
shouldTransform(url) {
return url.includes("youtube.com") || url.includes("youtu.be");
try {
const parsed = new URL(url);
const hostname = parsed.hostname.toLowerCase();
const allowedHosts = [
"youtube.com",
"www.youtube.com",
"m.youtube.com",
"youtu.be",
"www.youtu.be"
];
return allowedHosts.includes(hostname);
} catch (e) {
// If the URL cannot be parsed, it cannot be a valid YouTube URL.
return false;
}
},
getHTML(url) {
const videoId = url.includes("youtu.be")
? url.split("/").pop()
: new URL(url).searchParams.get("v");
const urlObj = new URL(url);
const isShort = urlObj.hostname.toLowerCase() === "youtu.be" || urlObj.hostname.toLowerCase() === "www.youtu.be";
const videoId = isShort
? urlObj.pathname.split("/").filter(Boolean).pop()
: urlObj.searchParams.get("v");

Comment on lines +23 to 26
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

videoId is derived from untrusted URL components (searchParams.get("v") / path segment) and then interpolated directly into an HTML attribute. A crafted URL can include quotes in the v parameter (e.g. ?v=" onload=...) which would break out of src="..." and enable HTML injection/XSS in the generated site. Validate the extracted videoId against the expected YouTube ID format (typically 11 chars [A-Za-z0-9_-]) and/or ensure it is safely encoded before interpolation; if invalid/missing, avoid transforming the URL (or return a safe fallback) instead of embedding null/unsafe content.

Suggested change
const videoId = isShort
? urlObj.pathname.split("/").filter(Boolean).pop()
: urlObj.searchParams.get("v");
const rawVideoId = isShort
? urlObj.pathname.split("/").filter(Boolean).pop()
: urlObj.searchParams.get("v");
const videoIdPattern = /^[A-Za-z0-9_-]{11}$/;
const videoId =
typeof rawVideoId === "string" && videoIdPattern.test(rawVideoId)
? rawVideoId
: null;
if (!videoId) {
// Invalid or missing video ID; avoid generating an embed to prevent XSS.
return "";
}

Copilot uses AI. Check for mistakes.
return `
<iframe
Expand Down
Loading