Commit Graph

2103 Commits

Author SHA1 Message Date
Samantaz Fox
ddb06b0cac
Fix XSS vulnerability in channel playlists
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
2021-12-19 20:51:44 +01:00
Samantaz Fox
ee91effb7a
Merge pull request #2576 from SamantazFox/fix-locales-handling
Fix locales handling
2021-12-12 22:26:22 +01:00
Samantaz Fox
f236a6872b
Merge pull request #2659 from SamantazFox/fix-likes-dislikes
Fix likes/dislikes
2021-12-06 03:52:38 +01:00
Samantaz Fox
3e0096f360
Merge pull request #2683 from iv-org/SamantazFox-patch-1
Fix #2682
2021-12-02 15:35:00 +01:00
Samantaz Fox
438b334320
Merge pull request #2671 from matthewmcgarvey/code-removal
Remove dead code
2021-12-01 20:49:23 +01:00
Samantaz Fox
4aa96ecab9
Use 'dig()' in 'find()' statements 2021-12-01 17:32:10 +01:00
Samantaz Fox
7b9d26d688
Fix #2670
Fixes "Download widget replaces spaces in filename with +"
https://github.com/iv-org/invidious/issues/2670
2021-11-29 23:12:55 +01:00
matthewmcgarvey
8d4b4cd14c Remove dead code 2021-11-29 09:11:50 -06:00
Samantaz Fox
342fc202a7
Fix #2682
Fix "Missing param name: "q" (KeyError)"
https://github.com/iv-org/invidious/issues/2682
2021-11-29 14:53:27 +01:00
Samantaz Fox
4436359d07
Use dig to get category contents
Co-authored-by: Matthew McGarvey <matthewmcgarvey14@gmail.com>
2021-11-28 23:44:37 +01:00
Samantaz Fox
91f8395222
Typo: missing '?' when looking for key in dislikes_button
Co-authored-by: Matthew McGarvey <matthewmcgarvey14@gmail.com>
2021-11-28 23:37:27 +01:00
Émilien Devos
c6e086c6ff
Revert "Temporarily fix for #2612" (#2673) 2021-11-28 09:41:16 +01:00
Samantaz Fox
82f3eda82b
Merge pull request #2656 from SamantazFox/fix-2549
extract_video_info: Make sure that the Android player response is valid
2021-11-28 02:38:29 +01:00
Samantaz Fox
05f9613e14
Merge pull request #2623 from SamantazFox/temp-decompression-fix
Temporarily fix for #2612
2021-11-28 02:35:39 +01:00
Samantaz Fox
ceb1feb350
likes/dislikes: better fallback management
'.to_i64?' instead of '.to_i64' returns nil rather than raising
an exception when it's done on an empty string.

In some rare cases, rating can be equal to 5. In this case, the
value of player_response[videoDetails][averageRating] is an
Int and not a Float.
2021-11-25 23:16:50 +01:00
Samantaz Fox
2ea0590b03
i18n: return 'key' if 'key' is not in locales files 2021-11-25 19:46:34 +01:00
Samantaz Fox
80a513baa5
Use new techniques to get (dis)likes back 2021-11-24 01:22:09 +01:00
Samantaz Fox
ba48f68fc3
allow multiple, successive content-encodings 2021-11-21 18:16:05 +01:00
Samantaz Fox
319587e2f1
extract_video_info: make sure that the Android player response is valid 2021-11-21 17:34:17 +01:00
Samantaz Fox
bf7952d9c7
i18n: log a warning instead of rising an exception
This is more user-friendly.
TODO: maybe make a compile time flag for testing purposes
2021-11-21 01:54:54 +01:00
Samantaz Fox
f29ab53aff
Add other missing translations
* on watch page and video cards (search results, playlists, etc...)
* on /feed/playlists
* in search filters (not normalized in order to avoid collisions with
an existing PR that reworks the search filters)
2021-11-21 01:54:46 +01:00
Samantaz Fox
b5b0c58de7
Add missing translation for quality selectors 2021-11-21 01:50:11 +01:00
Samantaz Fox
a1bb421eec
Remove useless 'hl' parameters on captions URL 2021-11-21 01:50:11 +01:00
Samantaz Fox
139786b9ef
i18n: pass only the ISO code string to 'translate()'
Don't use the whole Hash everywhere.
Also fall back nicely to english string if no translation exists.
2021-11-21 01:50:11 +01:00
Samantaz Fox
301444563b
i18n: Use language full name instead of ISO code
Fixes #851
2021-11-21 01:50:11 +01:00
Samantaz Fox
9966c21c6b
i18n: Add list of language names 2021-11-21 01:50:11 +01:00
babababag
fd54cf2d05
Escape video description 2021-11-17 12:04:30 +00:00
Samantaz Fox
2c447a42f2
Make sure to only apply fix if QUIC is disabled 2021-11-16 21:40:35 +01:00
Samantaz Fox
dad8f9a0ce
Fix typo
Should be checking the returned headers, not the sent ones.
2021-11-16 20:39:26 +01:00
Samantaz Fox
2eac23a0b3
Temporary fix for #2612
Don't rely on the auto compression/decompression provided by the crystal stdlib.
2021-11-16 13:46:28 +01:00
Samantaz Fox
00904ae3f2
Merge pull request #2444 from syeopite/only-use-redirect-endpoint-when-needed
Only use the /redirect endpoint when automatically redirecting to another instance
2021-11-13 20:40:09 +01:00
Émilien Devos
d214a0b333
remove duplicate lsquic requirement 2021-11-12 23:02:43 +00:00
syeopite
a120f143d7
Disable quic by default
See #2577
2021-11-12 04:03:23 -08:00
syeopite
65fbdbff6a
Remove of gzip header w/ use_quic config
Continuation of b0f127d4d8
2021-11-12 03:52:50 -08:00
syeopite
6ec4dcfafd
Fix handling for maxres thumbnail 2021-11-12 03:47:58 -08:00
syeopite
48191aca6e
Fix copy-paste error 2021-11-12 03:47:57 -08:00
syeopite
83556bace2
Allow thumbnail queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite
814c9e6c3a
Use https for storyboard image requests 2021-11-12 03:47:57 -08:00
syeopite
547abe17d9
Use https for ggpht requests 2021-11-12 03:47:57 -08:00
syeopite
6b8450558d
Allow storyboard queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite
c3747c2d49
Allow ggpht queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite
245122104a
Respect use_quic param and fix typos 2021-11-12 03:47:57 -08:00
syeopite
b0f127d4d8
Fix gzip decompression with HTTP::Client 2021-11-12 03:47:57 -08:00
syeopite
d379a36c0e
Add compile-time flag to remove code for QUIC 2021-11-12 03:47:50 -08:00
Samantaz Fox
6cf0ff6b49
Remove useless auto_generated param from PlaylistVideo#to_xml
given the variables available in this function's context, 'author' and 'ucid'
provide the same data 'self.author' and 'self.ucid', respectively.

Given that fact, the variable `auto_generated` has no impact on the logic of
this function, and hence can be safely removed. this greatly simplifies the
code and makes it perfectly compatible with crystal's calling convention for
'#to_xml' methods.
2021-10-29 16:26:42 +02:00
Samantaz Fox
86f75758a7
Fix 'to_json' in struct PlaylistVideo 2021-10-29 16:26:42 +02:00
Samantaz Fox
0ec94405ce
Add TODO comments to other places 2021-10-29 16:26:42 +02:00
Samantaz Fox
33780f1995
Also fix 'to_json' in struct Video 2021-10-29 16:26:35 +02:00
Samantaz Fox
1cb715ac9f
serialized_yt_data: force datatype of 'locale' 2021-10-28 17:48:08 +02:00
Samantaz Fox
f65b628bf3
serialized_yt_data: Remove default nil value in to_json
this will ensure that two parameters are passed and that it
doesn't collide with 'to_json(builder)'
2021-10-28 17:48:07 +02:00