#770 closed defect (fixed)
New video.js (was: XSS vulnerability)
| Reported by: | Abandoned | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | 0.6.0 |
| Component: | programming | Keywords: | |
| Cc: | Parent Tickets: |
Description
VideoJS has XSS vulnerability
http://mediagoblin.org/js/extlib/video-js/video-js.swf?readyFunction=alert%28%22a%22%29
Attachments (1)
Change History (6)
by , 11 years ago
| Attachment: | screenshot.png added |
|---|
comment:1 by , 11 years ago
comment:2 by , 11 years ago
Well I updated the videojs code in MediaGoblin master, but then realized that this was for the SWF stuff only... we don't use that in MediaGoblin proper! It is used on the mediagoblin.org campaign page, but that site is a 100% static site, no logins or anything, so I think it's moot.
In the meanwhile I'll use this to track what to do about the mediagoblin master code changing. The code I pushed broke our existing videojs theming. But this does decrease the priority of pushing out a release.
comment:3 by , 11 years ago
| Component: | infrastructure → programming |
|---|
comment:4 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I think actually we're going to stick with the latest video.js, but there's no hurry to push out a new release anymore.
comment:5 by , 11 years ago
| Milestone: | → 0.6.0 |
|---|---|
| Summary: | XSS vulnerability → New video.js (was: XSS vulnerability) |
Note:
See TracTickets
for help on using tickets.
You're right, argh. It looks like this has been addressed here: https://github.com/videojs/video-js-swf/issues/12
We need to update our videojs code it looks like... trying now.