Youtube onebox not sanitised

Salamander · January 30, 2016, 12:49am

XSS exploit on mouse over

zogstrip · January 30, 2016, 12:50am

Thanks for reporting that issue @Salamander.

I’m unlisting this since this is a valid XSS.

I’ll have a look tomorrow unless @sam gets to it before

codinghorror · January 30, 2016, 12:59am

Title of the video is

DiscoExploitTest" onmouseover="alert('Yes? Yes')"

zogstrip · January 30, 2016, 11:42am

Thanks @Salamander, I just pushed a fix

sam · January 30, 2016, 10:49pm

Note, fix is backported to beta and stable, closing this, flag to reopen if still having any issues.

Topic		Replies	Views
Youtube videos onebox embedding stopped working support	49	5510	April 5, 2021
Youtube Onebox not shown in expanded quotes bug	3	1121	May 11, 2017
YouTube SSL Regression bug	4	7498	February 20, 2015
Copyrighted Youtube videos are not oneboxing support	4	609	August 14, 2018
YouTube videos not oneboxing support	5	862	January 1, 2016