[FIX] website: fix video loading

task-2376327
odoo · Jul 16, 2021 · 74532a0 · 74532a0
1 parent c1d6d4a
commit 74532a0
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/addons/website/static/src/js/content/snippets.animation.js b/addons/website/static/src/js/content/snippets.animation.js
@@ -608,7 +608,10 @@ registry.mediaVideo = publicWidget.Widget.extend({
 
         var def = this._super.apply(this, arguments);
         if (this.$target.children('iframe').length) {
-            // There already is an <iframe/>, do nothing
+            // There already is an <iframe/>, do nothing. This is the normal
+            // case. The whole code that follows is only there to ensure
+            // compatibility with videos added before bug fixes or new Odoo
+            // versions where the <iframe/> element is properly saved.
             return def;
         }
 
@@ -626,11 +629,23 @@ registry.mediaVideo = publicWidget.Widget.extend({
         // the src is saved in the 'data-src' attribute or the
         // 'data-oe-expression' one (the latter is used as a workaround in 10.0
         // system but should obviously be reviewed in master).
+        var src = _.escape(this.$target.data('oe-expression') || this.$target.data('src'));
+        // Validate the src to only accept supported domains we can trust
+        var m = src.match(/^(?:https?:)?\/\/([^/?#]+)/);
+        if (!m) {
+            // Unsupported protocol or wrong URL format, don't inject iframe
+            return def;
+        }
+        var domain = m[1].replace(/^www\./, '');
+        var supportedDomains = ['youtu.be', 'youtube.com', 'youtube-nocookie.com', 'instagram.com', 'vine.co', 'player.vimeo.com', 'vimeo.com', 'dailymotion.com', 'player.youku.com', 'youku.com'];
+        if (!_.contains(supportedDomains, domain)) {
+            // Unsupported domain, don't inject iframe
+            return def;
+        }
         this.$target.append($('<iframe/>', {
-            src: _.escape(this.$target.data('oe-expression') || this.$target.data('src')),
+            src: src,
             frameborder: '0',
             allowfullscreen: 'allowfullscreen',
-            sandbox: 'allow-scripts allow-same-origin', // https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
         }));
 
         return def;