Commit graph

2108 commits

Author SHA1 Message Date
Samantaz Fox 28a6589a1e
Merge pull request #2538 from bbielsa/player-remember-position
Retain video time position in video player
2021-12-21 22:05:43 +01:00
Samantaz Fox ddb06b0cac
Fix XSS vulnerability in channel playlists
The channel/<ucid>/playlists page was vulnerable to Cross Site Scripting
(XSS), because the different URL parameters were inserted as-is in the URL
meant for instance switching.

This vulnerability could allow an attacker to inject malicious Javascript
in the page by tricking the user to click on a crafted link.

Bug introduced in commit 66e7285108
("Only use /redirect when automatically redirecting").

Thanks to Jack (@testa:cthd.icu on Matrix, @cysea on github) for responsibly
reporting this issue!
2021-12-19 20:51:44 +01:00
bbielsa b90bceb2dc Fix formatting of preferences.cr and videos.cr 2021-12-15 19:38:58 +01:00
bbielsa f31bd5ffb9 Use localization for save player position label in the preferences page 2021-12-15 19:38:56 +01:00
bbielsa 5abe7fe123 Rename 'remember_position' to 'save_player_pos' for clarity 2021-12-15 19:37:55 +01:00
bbielsa a6a0bbf398 Add remember_position field to the Preferences and VideoPreferences structs, and add a checkbox in the preferences page to toggle it 2021-12-15 19:37:55 +01:00
Samantaz Fox ee91effb7a
Merge pull request #2576 from SamantazFox/fix-locales-handling
Fix locales handling
2021-12-12 22:26:22 +01:00
Samantaz Fox f236a6872b
Merge pull request #2659 from SamantazFox/fix-likes-dislikes
Fix likes/dislikes
2021-12-06 03:52:38 +01:00
Samantaz Fox 3e0096f360
Merge pull request #2683 from iv-org/SamantazFox-patch-1
Fix #2682
2021-12-02 15:35:00 +01:00
Samantaz Fox 438b334320
Merge pull request #2671 from matthewmcgarvey/code-removal
Remove dead code
2021-12-01 20:49:23 +01:00
Samantaz Fox 4aa96ecab9
Use 'dig()' in 'find()' statements 2021-12-01 17:32:10 +01:00
Samantaz Fox 7b9d26d688
Fix #2670
Fixes "Download widget replaces spaces in filename with +"
https://github.com/iv-org/invidious/issues/2670
2021-11-29 23:12:55 +01:00
matthewmcgarvey 8d4b4cd14c Remove dead code 2021-11-29 09:11:50 -06:00
Samantaz Fox 342fc202a7
Fix #2682
Fix "Missing param name: "q" (KeyError)"
https://github.com/iv-org/invidious/issues/2682
2021-11-29 14:53:27 +01:00
Samantaz Fox 4436359d07
Use dig to get category contents
Co-authored-by: Matthew McGarvey <matthewmcgarvey14@gmail.com>
2021-11-28 23:44:37 +01:00
Samantaz Fox 91f8395222
Typo: missing '?' when looking for key in dislikes_button
Co-authored-by: Matthew McGarvey <matthewmcgarvey14@gmail.com>
2021-11-28 23:37:27 +01:00
Émilien Devos c6e086c6ff
Revert "Temporarily fix for #2612" (#2673) 2021-11-28 09:41:16 +01:00
Samantaz Fox 82f3eda82b
Merge pull request #2656 from SamantazFox/fix-2549
extract_video_info: Make sure that the Android player response is valid
2021-11-28 02:38:29 +01:00
Samantaz Fox 05f9613e14
Merge pull request #2623 from SamantazFox/temp-decompression-fix
Temporarily fix for #2612
2021-11-28 02:35:39 +01:00
Samantaz Fox ceb1feb350
likes/dislikes: better fallback management
'.to_i64?' instead of '.to_i64' returns nil rather than raising
an exception when it's done on an empty string.

In some rare cases, rating can be equal to 5. In this case, the
value of player_response[videoDetails][averageRating] is an
Int and not a Float.
2021-11-25 23:16:50 +01:00
Samantaz Fox 2ea0590b03
i18n: return 'key' if 'key' is not in locales files 2021-11-25 19:46:34 +01:00
Samantaz Fox 80a513baa5
Use new techniques to get (dis)likes back 2021-11-24 01:22:09 +01:00
Samantaz Fox ba48f68fc3
allow multiple, successive content-encodings 2021-11-21 18:16:05 +01:00
Samantaz Fox 319587e2f1
extract_video_info: make sure that the Android player response is valid 2021-11-21 17:34:17 +01:00
Samantaz Fox bf7952d9c7
i18n: log a warning instead of rising an exception
This is more user-friendly.
TODO: maybe make a compile time flag for testing purposes
2021-11-21 01:54:54 +01:00
Samantaz Fox f29ab53aff
Add other missing translations
* on watch page and video cards (search results, playlists, etc...)
* on /feed/playlists
* in search filters (not normalized in order to avoid collisions with
an existing PR that reworks the search filters)
2021-11-21 01:54:46 +01:00
Samantaz Fox b5b0c58de7
Add missing translation for quality selectors 2021-11-21 01:50:11 +01:00
Samantaz Fox a1bb421eec
Remove useless 'hl' parameters on captions URL 2021-11-21 01:50:11 +01:00
Samantaz Fox 139786b9ef
i18n: pass only the ISO code string to 'translate()'
Don't use the whole Hash everywhere.
Also fall back nicely to english string if no translation exists.
2021-11-21 01:50:11 +01:00
Samantaz Fox 301444563b
i18n: Use language full name instead of ISO code
Fixes #851
2021-11-21 01:50:11 +01:00
Samantaz Fox 9966c21c6b
i18n: Add list of language names 2021-11-21 01:50:11 +01:00
babababag fd54cf2d05
Escape video description 2021-11-17 12:04:30 +00:00
Samantaz Fox 2c447a42f2
Make sure to only apply fix if QUIC is disabled 2021-11-16 21:40:35 +01:00
Samantaz Fox dad8f9a0ce
Fix typo
Should be checking the returned headers, not the sent ones.
2021-11-16 20:39:26 +01:00
Samantaz Fox 2eac23a0b3
Temporary fix for #2612
Don't rely on the auto compression/decompression provided by the crystal stdlib.
2021-11-16 13:46:28 +01:00
Samantaz Fox 00904ae3f2
Merge pull request #2444 from syeopite/only-use-redirect-endpoint-when-needed
Only use the /redirect endpoint when automatically redirecting to another instance
2021-11-13 20:40:09 +01:00
Émilien Devos d214a0b333
remove duplicate lsquic requirement 2021-11-12 23:02:43 +00:00
syeopite a120f143d7
Disable quic by default
See #2577
2021-11-12 04:03:23 -08:00
syeopite 65fbdbff6a
Remove of gzip header w/ use_quic config
Continuation of b0f127d4d8
2021-11-12 03:52:50 -08:00
syeopite 6ec4dcfafd
Fix handling for maxres thumbnail 2021-11-12 03:47:58 -08:00
syeopite 48191aca6e
Fix copy-paste error 2021-11-12 03:47:57 -08:00
syeopite 83556bace2
Allow thumbnail queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite 814c9e6c3a
Use https for storyboard image requests 2021-11-12 03:47:57 -08:00
syeopite 547abe17d9
Use https for ggpht requests 2021-11-12 03:47:57 -08:00
syeopite 6b8450558d
Allow storyboard queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite c3747c2d49
Allow ggpht queries with QUIC disabled 2021-11-12 03:47:57 -08:00
syeopite 245122104a
Respect use_quic param and fix typos 2021-11-12 03:47:57 -08:00
syeopite b0f127d4d8
Fix gzip decompression with HTTP::Client 2021-11-12 03:47:57 -08:00
syeopite d379a36c0e
Add compile-time flag to remove code for QUIC 2021-11-12 03:47:50 -08:00
Samantaz Fox 6cf0ff6b49
Remove useless auto_generated param from PlaylistVideo#to_xml
given the variables available in this function's context, 'author' and 'ucid'
provide the same data 'self.author' and 'self.ucid', respectively.

Given that fact, the variable `auto_generated` has no impact on the logic of
this function, and hence can be safely removed. this greatly simplifies the
code and makes it perfectly compatible with crystal's calling convention for
'#to_xml' methods.
2021-10-29 16:26:42 +02:00