From 7656b37e1bcef24b47cb73549575f9ea8eb30225 Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Fri, 23 Sep 2022 16:16:25 +0800
Subject: [PATCH] Escape youtube title and author name

---
 packages/content-fetch/youtube-handler.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/packages/content-fetch/youtube-handler.js b/packages/content-fetch/youtube-handler.js
index 179e4614f..cdf9bee32 100644
--- a/packages/content-fetch/youtube-handler.js
+++ b/packages/content-fetch/youtube-handler.js
@@ -5,6 +5,7 @@
 /* eslint-disable @typescript-eslint/no-require-imports */
 require('dotenv').config();
 const axios = require('axios');
+const _ = require('underscore');
 
 const YOUTUBE_URL_MATCH =
   /^((?:https?:)?\/\/)?((?:www|m)\.)?((?:youtube\.com|youtu.be))(\/(?:[\w-]+\?v=|embed\/|v\/)?)([\w-]+)(\S+)?$/
@@ -36,11 +37,12 @@ exports.youtubeHandler = {
 
     const oembedUrl = `https://www.youtube.com/oembed?format=json&url=` + encodeURIComponent(`https://www.youtube.com/watch?v=${videoId}`)
     const oembed = (await axios.get(oembedUrl.toString())).data;
-    const title = oembed.title;
+    const title = _.escape(oembed.title);
     const ratio = oembed.width / oembed.height;
     const thumbnail = oembed.thumbnail_url;
     const height = 350;
     const width = height * ratio;
+    const authorName = _.escape(oembed.author_name);
 
     const content = `
     <html>
@@ -49,12 +51,12 @@ exports.youtubeHandler = {
       <meta property="og:image:secure_url" content="${thumbnail}" />
       <meta property="og:title" content="${title}" />
       <meta property="og:description" content="" />
-      <meta property="og:article:author" content="${oembed.author_name}" />
+      <meta property="og:article:author" content="${authorName}" />
       </head>
       <body>
       <iframe width="${width}" height="${height}" src="https://www.youtube.com/embed/${videoId}" title="${title}" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
         <p><a href="${url}" target="_blank">${title}</a></p>
-        <p itemscope="" itemprop="author" itemtype="http://schema.org/Person">By <a href="${oembed.author_url}" target="_blank">${oembed.author_name}</a></p>
+        <p itemscope="" itemprop="author" itemtype="http://schema.org/Person">By <a href="${oembed.author_url}" target="_blank">${authorName}</a></p>
       </body>
     </html>`