matty/peertube-theme-nctv-dark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix XSS issue

Browse Source
This commit is contained in:
Chocobozzz 2023-02-06 10:09:42 +01:00
parent 913504234f
commit 7c769bbb79
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
8 changed files with 1004 additions and 3639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
peertube-plugin-video-annotation/.npmignore Normal file
View File

@ -0,0 +1,2 @@
./scripts
./screens

3
peertube-plugin-video-annotation/CHANGELOG.md Normal file
View File

@ -0,0 +1,3 @@
# 0.0.7
* Fix XSS injection

23
peertube-plugin-video-annotation/client/shared-player.js
View File

@ -1,3 +1,5 @@
import * as DOMPurify from 'dompurify'
export function buildPlayer (video, player, videojs) { export function buildPlayer (video, player, videojs) {
window.videojs = videojs window.videojs = videojs
require('videojs-overlay') require('videojs-overlay')
@ -8,7 +10,7 @@ export function buildPlayer (video, player, videojs) {
const annotationsText = video.pluginData[fieldName] const annotationsText = video.pluginData[fieldName]
const annotations = parseAnnotations(annotationsText) const annotations = parseAnnotations(video, annotationsText)
if (!annotations) return if (!annotations) return
console.log('Will inject annotations in player.', annotations) console.log('Will inject annotations in player.', annotations)
@ -18,24 +20,27 @@ export function buildPlayer (video, player, videojs) {
}) })
} }
function parseAnnotations (annotationsText) { // ---------------------------------------------------------------------------
const splitted = annotationsText.split(/\n\r?\n\r?/)
return splitted.map(s => buildAnnotation(s)) function parseAnnotations (video, annotationsText) {
const splitted = annotationsText.split(/\n\r?\n\r?/)
.filter(line => !!line)
return splitted.map(s => buildAnnotation(video, s))
.filter(a => !!a) .filter(a => !!a)
} }
function buildAnnotation (text) { function buildAnnotation (video, text) {
const splitted = text.split('\n') const splitted = text.split('\n')
if (splitted.length < 2) { if (splitted.length < 2) {
console.error('Cannot build annotation %s.', text) console.error('Cannot build annotation "%s".', text)
return undefined return undefined
} }
const timestampsText = splitted.shift() const timestampsText = splitted.shift()
const timestamps = buildTimestamps(timestampsText) const timestamps = buildTimestamps(timestampsText)
if (!timestamps) { if (!timestamps) {
console.error('Cannot build timestamp %s of %s.', timestampsText, text) console.error('Cannot build timestamp "%s" of "%s".', timestampsText, text)
return undefined return undefined
} }
@ -46,7 +51,7 @@ function buildAnnotation (text) {
options = buildOptions(optionsText) options = buildOptions(optionsText)
if (!options) { if (!options) {
console.error('Cannot build options %s of %s.', optionsText, text) console.error('Cannot build options "%s" of "%s".', optionsText, text)
} else { } else {
splitted.shift() splitted.shift()
} }
@ -58,7 +63,7 @@ function buildAnnotation (text) {
const result = { const result = {
align, align,
content content: DOMPurify.sanitize(content)
} }
result.start = timestamps.start || 0 result.start = timestamps.start || 0

4553
peertube-plugin-video-annotation/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

8
peertube-plugin-video-annotation/package.json
View File

@ -29,9 +29,9 @@
"assets/videojs-overlay.css" "assets/videojs-overlay.css"
], ],
"devDependencies": { "devDependencies": {
"@purtuga/esm-webpack-plugin": "^1.1.1", "dompurify": "^2.4.3",
"webpack": "^4.41.2", "esbuild": "^0.17.5",
"webpack-cli": "^3.3.10", "esbuild-plugin-external-global": "^1.0.1",
"videojs-overlay": "^2.1.4" "videojs-overlay": "^2.1.4"
}, },
"engine": { "engine": {
@ -45,7 +45,7 @@
"library": "./main.js", "library": "./main.js",
"scripts": { "scripts": {
"prepare": "npm run build", "prepare": "npm run build",
"build": "cp node_modules/videojs-overlay/dist/videojs-overlay.css ./assets/videojs-overlay.css && webpack --mode=production" "build": "sh ./scripts/build.sh"
}, },
"staticDirs": {}, "staticDirs": {},
"translations": { "translations": {

7
peertube-plugin-video-annotation/scripts/build.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bib/sh
rm -rf ./dist ./assets/videojs-overlay.css
node ./scripts/esbuild.js
cp ./node_modules/videojs-overlay/dist/videojs-overlay.css ./assets/videojs-overlay.css

19
peertube-plugin-video-annotation/scripts/esbuild.js Normal file
View File

@ -0,0 +1,19 @@
const esbuild = require('esbuild')
const { externalGlobalPlugin } = require('esbuild-plugin-external-global')
for (const file of [ 'embed-client-plugin.js', 'video-edit-client-plugin.js', 'video-watch-client-plugin.js' ]) {
esbuild.build({
entryPoints: [ 'client/' + file ],
bundle: true,
minify: false,
format: 'esm',
outfile: 'dist/' + file,
target: [ 'safari11' ],
plugins: [
externalGlobalPlugin({
'video.js': 'window.videojs'
})
]
})
}

28
peertube-plugin-video-annotation/webpack.config.js
View File

@ -1,28 +0,0 @@
const path = require("path")
const webpack = require('webpack')
const EsmWebpackPlugin = require("@purtuga/esm-webpack-plugin")
const clientFiles = [
'embed-client-plugin.js',
'video-watch-client-plugin.js',
'video-edit-client-plugin.js'
]
let config = clientFiles.map(f => ({
entry: "./client/" + f,
output: {
path: path.resolve(__dirname, "./dist"),
filename: "./" + f,
library: "script",
libraryTarget: "var"
},
plugins: [
new EsmWebpackPlugin()
],
externals: {
'video.js': 'window.videojs'
}
}))
module.exports = config