videos: Fix XSS vulnerability in description/comments

Patch provided by e-mail, thanks to an anonymous user whose cats are named Yoshi and Yasuo. Comment is mine
author: Samantaz Fox <coding@samantaz.fr> 2024-08-15 18:26:17 +0200
committer: Samantaz Fox <coding@samantaz.fr> 2024-08-15 18:26:17 +0200
commit: 0b28054f8ac4066d5f2966a75a92eb935247d737 (patch)
tree: 99a6fe17b48e1693c51a2a0b8aec610145a6834f
parent: e319c35f097e08590e705378c7e5b479720deabc (diff)
download: invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.tar.gz
invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.tar.bz2
invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/src/invidious/videos/description.cr b/src/invidious/videos/description.cr
index c7191dec..1371bebb 100644
--- a/src/invidious/videos/description.cr
+++ b/src/invidious/videos/description.cr
@@ -36,7 +36,13 @@ def parse_description(desc, video_id : String) : String?
   return "" if content.empty?
 
   commands = desc["commandRuns"]?.try &.as_a
-  return content if commands.nil?
+  if commands.nil?
+    # Slightly faster than HTML.escape, as we're only doing one pass on
+    # the string instead of five for the standard library
+    return String.build do |str|
+      copy_string(str, content.each_codepoint, content.size)
+    end
+  end
 
   # Not everything is stored in UTF-8 on youtube's side. The SMP codepoints
   # (0x10000 and above) are encoded as UTF-16 surrogate pairs, which are
author	Samantaz Fox <coding@samantaz.fr>	2024-08-15 18:26:17 +0200
committer	Samantaz Fox <coding@samantaz.fr>	2024-08-15 18:26:17 +0200
commit	0b28054f8ac4066d5f2966a75a92eb935247d737 (patch)
tree	99a6fe17b48e1693c51a2a0b8aec610145a6834f
parent	e319c35f097e08590e705378c7e5b479720deabc (diff)
download	invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.tar.gz invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.tar.bz2 invidious-0b28054f8ac4066d5f2966a75a92eb935247d737.zip