lazysizes is vulnerable to cross-site scripting (XSS). The attributes data-vimeo
, data-vimeoparams
, data-youtube
and data-ytparams
are not sanitized by the video-embed plugin, allowing a remote attacker to inject and execute arbitrary Javascript in the user’s browser via the affected parameters.
github.com/aFarkas/lazysizes/blob/a2f37ec2371bff523ea8b94800682e4ec3596b9b/plugins/video-embed/ls.video-embed.js#L73
github.com/aFarkas/lazysizes/blob/a2f37ec2371bff523ea8b94800682e4ec3596b9b/plugins/video-embed/ls.video-embed.js#L98
github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48
github.com/aFarkas/lazysizes/issues/764