Subtitles are displayed byt innerHTML method: cueElem.innerHTML = simpleText;
This could be dangerous if subtitle text contains some malicious code.
That should be already handled by vttTextToSimple function that removes all unknown HTML tags, but what if any filter include some malicious code after vttTextToSimple call?
Better make some security check just before cueElem.innerHTML = simpleText; is written.
Make a list of allowed HTML tags (and their attribudes), remove the others, write warning to console.
|
cueElem.innerHTML = simpleText; |
Subtitles are displayed byt innerHTML method:
cueElem.innerHTML = simpleText;This could be dangerous if subtitle text contains some malicious code.
That should be already handled by
vttTextToSimplefunction that removes all unknown HTML tags, but what if any filter include some malicious code aftervttTextToSimplecall?Better make some security check just before
cueElem.innerHTML = simpleText;is written.Make a list of allowed HTML tags (and their attribudes), remove the others, write warning to console.
subfilter/dist/subfilter-ui.js
Line 158 in 0046a57