summaryrefslogtreecommitdiff
path: root/packages/frontend/src/components/MkYoutubePlayer.vue
diff options
context:
space:
mode:
authorsyuilo <Syuilotan@yahoo.co.jp>2023-02-04 09:10:01 +0900
committersyuilo <Syuilotan@yahoo.co.jp>2023-02-04 09:10:01 +0900
commit788ae2f6ca37d297e912bfba02821543e8566522 (patch)
tree84f34d91e37771b3770838370251c3f0fc40c037 /packages/frontend/src/components/MkYoutubePlayer.vue
parentclean up (diff)
downloadmisskey-788ae2f6ca37d297e912bfba02821543e8566522.tar.gz
misskey-788ae2f6ca37d297e912bfba02821543e8566522.tar.bz2
misskey-788ae2f6ca37d297e912bfba02821543e8566522.zip
fix(client): validate urls to improve security
Diffstat (limited to 'packages/frontend/src/components/MkYoutubePlayer.vue')
-rw-r--r--packages/frontend/src/components/MkYoutubePlayer.vue1
1 files changed, 1 insertions, 0 deletions
diff --git a/packages/frontend/src/components/MkYoutubePlayer.vue b/packages/frontend/src/components/MkYoutubePlayer.vue
index d1f1f9e9c5..50d38a71bd 100644
--- a/packages/frontend/src/components/MkYoutubePlayer.vue
+++ b/packages/frontend/src/components/MkYoutubePlayer.vue
@@ -26,6 +26,7 @@ const props = defineProps<{
}>();
const requestUrl = new URL(props.url);
+if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
let fetching = $ref(true);
let title = $ref<string | null>(null);
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-08 06:50:15 +0000