From 24cc07c09bdfa5ca81b30aae250cd835056c4d12 Mon Sep 17 00:00:00 2001
From: Dan Peterson <dan@dan-peterson.ca>
Date: Tue, 4 Jan 2022 16:15:30 -0600
Subject: [PATCH] escape referrerQuery in the oEmebed xml generator

---
 ui/util/web.js    | 12 ++++++++++++
 web/src/html.js   | 12 +-----------
 web/src/oEmbed.js |  5 ++++-
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/ui/util/web.js b/ui/util/web.js
index 93119844a..4da0eab9e 100644
--- a/ui/util/web.js
+++ b/ui/util/web.js
@@ -61,6 +61,17 @@ function getParameterByName(name, url) {
   return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
 }
 
+function escapeHtmlProperty(property) {
+  return property
+    ? String(property)
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;')
+    : '';
+}
+
 // module.exports needed since the web server imports this function
 module.exports = {
   CONTINENT_COOKIE,
@@ -71,4 +82,5 @@ module.exports = {
   generateStreamUrl,
   getParameterByName,
   getThumbnailCdnUrl,
+  escapeHtmlProperty,
 };
diff --git a/web/src/html.js b/web/src/html.js
index 70365bdc6..55cac185d 100644
--- a/web/src/html.js
+++ b/web/src/html.js
@@ -18,6 +18,7 @@ const {
   generateStreamUrl,
   getParameterByName,
   getThumbnailCdnUrl,
+  escapeHtmlProperty,
 } = require('../../ui/util/web');
 const { getJsBundleId } = require('../bundle-id.js');
 const { lbryProxy: Lbry } = require('../lbry');
@@ -54,17 +55,6 @@ function truncateDescription(description, maxChars = 200) {
   return chars.length > maxChars ? truncated + '...' : truncated;
 }
 
-function escapeHtmlProperty(property) {
-  return property
-    ? String(property)
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#039;')
-    : '';
-}
-
 function getCategoryMeta(path) {
   const page = Object.keys(CATEGORY_METADATA).find((x) => path === `/$/${x}` || path === `/$/${x}/`);
   return CATEGORY_METADATA[page];
diff --git a/web/src/oEmbed.js b/web/src/oEmbed.js
index 394ab056d..0249c2832 100644
--- a/web/src/oEmbed.js
+++ b/web/src/oEmbed.js
@@ -5,6 +5,7 @@ const {
   generateEmbedUrl,
   getParameterByName,
   getThumbnailCdnUrl,
+  escapeHtmlProperty,
 } = require('../../ui/util/web');
 const { lbryProxy: Lbry } = require('../lbry');
 
@@ -52,7 +53,9 @@ function generateOEmbedData(claim, referrerQuery) {
   const authorUrlPath = authorClaim && authorClaim.canonical_url.replace('lbry://', '').replace('#', ':');
   const authorUrl = authorClaim ? `${URL}/${authorUrlPath}` : null;
   const thumbnailUrl = value && value.thumbnail && value.thumbnail.url && getThumbnailCdnUrl(value.thumbnail.url);
-  const videoUrl = generateEmbedUrl(claim.name, claim.claim_id) + (referrerQuery ? `r=${referrerQuery}` : '');
+  const videoUrl =
+    generateEmbedUrl(claim.name, claim.claim_id) +
+    (referrerQuery ? `r=${encodeURIComponent(escapeHtmlProperty(referrerQuery))}` : '');
 
   const { html, width, height } = generateEmbedIframeData(videoUrl);