From 76fad44de4c48eab15a224403385339226113637 Mon Sep 17 00:00:00 2001 From: 27chan <27chan@protonmail.com> Date: Mon, 5 Sep 2022 13:58:41 -0300 Subject: [PATCH] Removed regex with possibiblity of XSS An anonymous user reported the issue to me --- inc/config.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inc/config.php b/inc/config.php index 4d20fc76..d24df963 100644 --- a/inc/config.php +++ b/inc/config.php @@ -1079,9 +1079,10 @@ // Custom embedding (YouTube, vimeo, etc.) // It's very important that you match the entire input (with ^ and $) or things will not work correctly. + // Be careful when creating a new embed, because depending on the URL you end up exposing yourself to an XSS. $config['embedding'] = array( array( - '/^https?:\/\/(\w+\.)?youtube\.com\/watch\?v=([a-zA-Z0-9\-_]{10,11})(&.+)?$/i', + '/^https?:\/\/(\w+\.)?youtube\.com\/watch\?v=([a-zA-Z0-9\-_]{10,11})?$/i', '' ), array(