Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(youtube-player): use safevalues #30773

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(youtube-player): use safevalues #30773

wants to merge 3 commits into from

Conversation

andrewseguin
Copy link
Contributor

Use Google's safevalues package to avoid casting to any for the url in the youtube player

@andrewseguin andrewseguin requested a review from a team as a code owner April 2, 2025 11:12
@andrewseguin andrewseguin requested review from mmalerba and wagnermaciel and removed request for a team April 2, 2025 11:12
@andrewseguin andrewseguin requested a review from crisbeto April 2, 2025 11:29
@andrewseguin andrewseguin added the target: patch This PR is targeted for the next patch release label Apr 2, 2025
crisbeto
crisbeto approved these changes Apr 2, 2025
View reviewed changes
Copy link
Member

@crisbeto crisbeto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, although I don't quite follow why we want the dependency when the URL is hardcoded.

@andrewseguin
Copy link
Contributor Author

This was going to be added to remove the any cast, but it looks like it might just work out of the box. This is probably.not necessary

Some context: #30613

@mmalerba mmalerba removed their request for review April 2, 2025 22:26
@jamOne-
Copy link
Contributor

jamOne- commented Apr 7, 2025
edited
Loading

Hello! I tried simply hardcoding the url with script.src = url, but then a tsec unit tests fails with ban-script-src-assignments check and I wanted to resolve that.

I do not fully understand why this assignment is risky without the safevalues package, I just trusted the check. Maybe it's wrong and we should just remain the (script as any).src assignment. WDYT?

@crisbeto
Copy link
Member

crisbeto commented Apr 7, 2025

My understanding is that the tsec check uses the type checker to find if the variable has a src property and prevents any strings from being written to it. We can either leave it as is or rewrite the code in a way where tsec can't analyze it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crisbeto crisbeto crisbeto approved these changes

@wagnermaciel wagnermaciel Awaiting requested review from wagnermaciel wagnermaciel is a code owner automatically assigned from angular/components-googlers

Assignees
No one assigned
Labels
area: youtube-player target: patch This PR is targeted for the next patch release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewseguin @jamOne- @crisbeto