Enable playlist functions for youtube. #48
Conversation
Added a case for embedding a playlist using youtube.
syntax.php
Outdated
| foreach($paramm as $key => $value) { | ||
| switch($key) { | ||
| case 'list': | ||
| $urlparam[] = $key . '=' . $paramm[$key]; |
There was a problem hiding this comment.
since the set parameter is later printed without any further sanitation, it needs to be sanitized here. The way it is implemented currently would open an XSS vulnerability
There was a problem hiding this comment.
also $param[$key] is the same as $value, so why not use that - it's a bit cleaner.
|
I corrected to use the $value variable as recommended, I had used the other format to match the existing code. I additionally added a check that the playlist id is a string, not sure if further sanitization is necessary, as I typically do not work on web programming. Happy to work out a more complicated check, if you could be more specific on what is necessary. |
|
The value will be a string for sure because it comes from the syntax. The problem arises when it contains HTML tags. I don't know what format youtube playlist identifiers have, but this format should be checked (probably using a regexp). |
|
Okay, I've created a regex match to ensure it has the format ID used by youtube playlists of alphanumeric strings with underscores and dashes. |
syntax.php
Outdated
| foreach($paramm as $key => $value) { | ||
| switch($key) { | ||
| case 'list': | ||
| if(preg_match('/(\w|-)+/',$value)) { |
There was a problem hiding this comment.
the regexp isn't anchored it would still match anything as long as it contains at least one letter. try /^[-\w]+$/
|
thx |
2 participants
Added a case for embedding a playlist using youtube.