You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Subtitles are displayed byt innerHTML method: cueElem.innerHTML = simpleText;
This could be dangerous if subtitle text contains some malicious code.
That should be already handled by vttTextToSimple function that removes all unknown HTML tags, but what if any filter include some malicious code after vttTextToSimple call?
Better make some security check just before cueElem.innerHTML = simpleText; is written.
Make a list of allowed HTML tags (and their attribudes), remove the others, write warning to console.
Subtitles are displayed byt innerHTML method:
cueElem.innerHTML = simpleText;This could be dangerous if subtitle text contains some malicious code.
That should be already handled by
vttTextToSimplefunction that removes all unknown HTML tags, but what if any filter include some malicious code aftervttTextToSimplecall?Better make some security check just before
cueElem.innerHTML = simpleText;is written.Make a list of allowed HTML tags (and their attribudes), remove the others, write warning to console.
subfilter/dist/subfilter-ui.js
Line 158 in 0046a57
The text was updated successfully, but these errors were encountered: