From 2216a0155c366a22a119e4a11fd78486cb9b3a13 Mon Sep 17 00:00:00 2001
From: 27chan <27chan@protonmail.com>
Date: Mon, 5 Sep 2022 13:58:41 -0300
Subject: [PATCH] Removed regex with possibiblity of XSS

An anonymous user reported the issue to me
---
 inc/config.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/inc/config.php b/inc/config.php
index c898555b..5cc15a4e 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -1191,9 +1191,10 @@
 
 	// Custom embedding (YouTube, vimeo, etc.)
 	// It's very important that you match the entire input (with ^ and $) or things will not work correctly.
+	// Be careful when creating a new embed, because depending on the URL you end up exposing yourself to an XSS.
 	$config['embedding'] = array(
 		array(
-			'/^https?:\/\/(\w+\.)?youtube\.com\/watch\?v=([a-zA-Z0-9\-_]{10,11})(&.+)?$/i',
+			'/^https?:\/\/(\w+\.)?youtube\.com\/watch\?v=([a-zA-Z0-9\-_]{10,11})?$/i',
 			'<iframe style="float: left; margin: 10px 20px;" width="%%tb_width%%" height="%%tb_height%%" frameborder="0" id="ytplayer" src="https://www.youtube.com/embed/$2"></iframe>'
 		),
 		array(