about summary refs log tree commit diff
path: root/bskyweb/static/iframe/youtube.html
diff options
context:
space:
mode:
Diffstat (limited to 'bskyweb/static/iframe/youtube.html')
-rw-r--r--bskyweb/static/iframe/youtube.html12
1 files changed, 10 insertions, 2 deletions
diff --git a/bskyweb/static/iframe/youtube.html b/bskyweb/static/iframe/youtube.html
index 4b74d6fcd..a717a67c6 100644
--- a/bskyweb/static/iframe/youtube.html
+++ b/bskyweb/static/iframe/youtube.html
@@ -27,13 +27,21 @@
 
   let player
   function onYouTubeIframeAPIReady() {
+    let videoId = url.searchParams.get('videoId')
+    videoId = decodeURIComponent(videoId)
+    videoId = videoId.replace(/[^a-zA-Z0-9_-]/g, "")
+    if (videoId.length !== 11) throw new Error("Invalid video ID")
+
+    let start = url.searchParams.get('start')
+    start = start.replace(/[^0-9]/g, "")
+
     player = new YT.Player('player', {
       width: "1000",
       height: "1000",
-      videoId: url.searchParams.get('videoId'),
+      videoId,
       playerVars: {
         autoplay: 1,
-        start: url.searchParams.get('start'),
+        start,
         rel: 0,
         loop: 0,
         playsinline: 1,
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-10-11 03:09:37 +0000