From 74532a0839b57337cc26ffc66b2884039e68f23b Mon Sep 17 00:00:00 2001
From: qsm-odoo <qsm@odoo.com>
Date: Fri, 16 Jul 2021 11:26:38 +0200
Subject: [PATCH] [FIX] website: fix video loading

task-2376327
---
 .../src/js/content/snippets.animation.js      | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/addons/website/static/src/js/content/snippets.animation.js b/addons/website/static/src/js/content/snippets.animation.js
index 2914a1c427c5..8c93167f1c1c 100644
--- a/addons/website/static/src/js/content/snippets.animation.js
+++ b/addons/website/static/src/js/content/snippets.animation.js
@@ -608,7 +608,10 @@ registry.mediaVideo = publicWidget.Widget.extend({
 
         var def = this._super.apply(this, arguments);
         if (this.$target.children('iframe').length) {
-            // There already is an <iframe/>, do nothing
+            // There already is an <iframe/>, do nothing. This is the normal
+            // case. The whole code that follows is only there to ensure
+            // compatibility with videos added before bug fixes or new Odoo
+            // versions where the <iframe/> element is properly saved.
             return def;
         }
 
@@ -626,11 +629,23 @@ registry.mediaVideo = publicWidget.Widget.extend({
         // the src is saved in the 'data-src' attribute or the
         // 'data-oe-expression' one (the latter is used as a workaround in 10.0
         // system but should obviously be reviewed in master).
+        var src = _.escape(this.$target.data('oe-expression') || this.$target.data('src'));
+        // Validate the src to only accept supported domains we can trust
+        var m = src.match(/^(?:https?:)?\/\/([^/?#]+)/);
+        if (!m) {
+            // Unsupported protocol or wrong URL format, don't inject iframe
+            return def;
+        }
+        var domain = m[1].replace(/^www\./, '');
+        var supportedDomains = ['youtu.be', 'youtube.com', 'youtube-nocookie.com', 'instagram.com', 'vine.co', 'player.vimeo.com', 'vimeo.com', 'dailymotion.com', 'player.youku.com', 'youku.com'];
+        if (!_.contains(supportedDomains, domain)) {
+            // Unsupported domain, don't inject iframe
+            return def;
+        }
         this.$target.append($('<iframe/>', {
-            src: _.escape(this.$target.data('oe-expression') || this.$target.data('src')),
+            src: src,
             frameborder: '0',
             allowfullscreen: 'allowfullscreen',
-            sandbox: 'allow-scripts allow-same-origin', // https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
         }));
 
         return def;
-- 
GitLab