HotSpot Block- Whitelist Domain and Prevent Xss attack #109

RitwikSrivastava · 2024-10-07T05:22:31Z

When isVideoVariant is true, the code creates a new URL object from the content string. This can help prevent XSS attacks because it ensures that the content string is a properly formatted URL. If it's not, an error will be thrown and caught, preventing any potentially malicious code from being executed.

Additionally, the code checks if the hostname of the URL is included in a list of allowed video domains. This is another measure that can help prevent XSS attacks, as it restricts the sources of the videos to trusted domains

Fix #

Test URLs:

aem-code-sync · 2024-10-07T05:22:34Z

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
In case there are problems, just click a checkbox below to rerun the respective action.

Re-run PSI checks
Re-sync branch

Commits

d8013b9 ✅ (latest)
9173177 ✅
d0f26f6 ✅
bc643de ✅

aem-code-sync · 2024-10-07T05:22:47Z

	Page	Scores	Audits	Google
📱	/hotspot-block/hotspot
🖥️	/hotspot-block/hotspot

sdmcraft · 2024-10-08T10:45:08Z

blocks/hotspot/hotspot.js

+          </iframe>
+        </div>`;
+          } else {
+            console.warn('Untrusted video URL:', url.href);


Please address linting errors.

Prevent Xss attack

bc643de

RitwikSrivastava requested a review from sdmcraft October 7, 2024 05:22

Prevent Xss attack

d0f26f6

aem-code-sync bot temporarily deployed to hotspotblock October 7, 2024 05:31 Inactive

RitwikSrivastava changed the title ~~HotSpot Block- Allowed Domain and Prevent Xss attack~~ HotSpot Block- Whitelist Domain and Prevent Xss attack Oct 7, 2024