diff --git a/blocks/hotspot/hotspot.js b/blocks/hotspot/hotspot.js
index 9b8bb57a5d..dfbdc1157a 100644
--- a/blocks/hotspot/hotspot.js
+++ b/blocks/hotspot/hotspot.js
@@ -23,10 +23,31 @@ export default function decorate(block) {
         contentContainer.appendChild(img);
       } else if (isVideoVariant) {
         const video = document.createElement('div');
-        video.innerHTML = `<div class="embed-default">
-            <iframe src=${content} from allow="encrypted-media" loading="lazy">
-            </iframe>
-            </div>`;
+        const allowedVideoDomains = ['youtube.com', 'vimeo.com', 'sidekick-library--aem-block-collection--adobe'];
+        try {
+          const url = new URL(content);
+          // the below code can be updated to include more video hosting sites
+          const domainCheck = (domain) => url.hostname.includes(domain);
+          const isTrustedDomain = allowedVideoDomains.some(domainCheck);
+          if (isTrustedDomain) {
+            const div = document.createElement('div');
+            div.className = 'embed-default';
+
+            const iframe = document.createElement('iframe');
+            iframe.src = url.href;
+            iframe.setAttribute('allow', 'encrypted-media');
+            iframe.setAttribute('loading', 'lazy');
+
+            div.appendChild(iframe);
+            video.appendChild(div);
+          } else {
+            video.textContent = 'This video source is not allowed.';
+            contentContainer.classList.add('bgborder');
+          }
+        } catch (e) {
+          video.textContent = 'Invalid video URL.';
+          contentContainer.classList.add('bgborder');
+        }
         // above code can be updated for video controls such as autoplay, loop, etc.
         contentContainer.appendChild(video);
       } else if (isTextVariant) {