From bc643de090f8f728e646cf72e604965457b8bab3 Mon Sep 17 00:00:00 2001
From: Ritwik Srivastava <ritwik@Ritwiks-MacBook-Pro-2.local>
Date: Mon, 7 Oct 2024 10:50:57 +0530
Subject: [PATCH 1/4] Prevent Xss attack

---
 blocks/hotspot/hotspot.js | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/blocks/hotspot/hotspot.js b/blocks/hotspot/hotspot.js
index 9b8bb57a5d..0e84e2c56b 100644
--- a/blocks/hotspot/hotspot.js
+++ b/blocks/hotspot/hotspot.js
@@ -23,10 +23,26 @@ export default function decorate(block) {
         contentContainer.appendChild(img);
       } else if (isVideoVariant) {
         const video = document.createElement('div');
-        video.innerHTML = `<div class="embed-default">
-            <iframe src=${content} from allow="encrypted-media" loading="lazy">
-            </iframe>
-            </div>`;
+        const allowedVideoDomains = ['youtube.com', 'vimeo.com', 'sidekick-library--aem-block-collection--adobe'];
+        try {
+          const url = new URL(content);
+          //the below code can be updated to include more video hosting sites
+          const isTrustedDomain = allowedVideoDomains.some((domain) => url.hostname.includes(domain));
+          if (isTrustedDomain) {
+            video.innerHTML = `
+        <div class="embed-default">
+          <iframe src="${url.href}" allow="encrypted-media" loading="lazy">
+          </iframe>
+        </div>`;
+          } else {
+            console.warn('Untrusted video URL:', url.href);
+            video.textContent = 'This video source is not allowed.';
+            contentContainer.classList.add('bgborder');
+          }
+        } catch (e) {
+          console.error('Invalid video URL:', content);
+          video.textContent = 'Invalid video URL.';
+        }
         // above code can be updated for video controls such as autoplay, loop, etc.
         contentContainer.appendChild(video);
       } else if (isTextVariant) {

From d0f26f6d3b3d5fbd8eef4953ff270df2a28e1718 Mon Sep 17 00:00:00 2001
From: Ritwik Srivastava <ritwik@Ritwiks-MacBook-Pro-2.local>
Date: Mon, 7 Oct 2024 11:00:54 +0530
Subject: [PATCH 2/4] Prevent Xss attack

---
 blocks/hotspot/hotspot.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/blocks/hotspot/hotspot.js b/blocks/hotspot/hotspot.js
index 0e84e2c56b..40c981c404 100644
--- a/blocks/hotspot/hotspot.js
+++ b/blocks/hotspot/hotspot.js
@@ -26,8 +26,9 @@ export default function decorate(block) {
         const allowedVideoDomains = ['youtube.com', 'vimeo.com', 'sidekick-library--aem-block-collection--adobe'];
         try {
           const url = new URL(content);
-          //the below code can be updated to include more video hosting sites
-          const isTrustedDomain = allowedVideoDomains.some((domain) => url.hostname.includes(domain));
+          // the below code can be updated to include more video hosting sites
+          const domainCheck = (domain) => url.hostname.includes(domain);
+          const isTrustedDomain = allowedVideoDomains.some(domainCheck);
           if (isTrustedDomain) {
             video.innerHTML = `
         <div class="embed-default">

From 917317785356da310f4f199b1a19a40af3d95242 Mon Sep 17 00:00:00 2001
From: RitwikSrivastava <45959816+RitwikSrivastava@users.noreply.github.com>
Date: Wed, 9 Oct 2024 11:13:11 +0530
Subject: [PATCH 3/4] Update hotspot.js

---
 blocks/hotspot/hotspot.js | 2 --
 1 file changed, 2 deletions(-)

diff --git a/blocks/hotspot/hotspot.js b/blocks/hotspot/hotspot.js
index 40c981c404..7f50dc1411 100644
--- a/blocks/hotspot/hotspot.js
+++ b/blocks/hotspot/hotspot.js
@@ -36,12 +36,10 @@ export default function decorate(block) {
           </iframe>
         </div>`;
           } else {
-            console.warn('Untrusted video URL:', url.href);
             video.textContent = 'This video source is not allowed.';
             contentContainer.classList.add('bgborder');
           }
         } catch (e) {
-          console.error('Invalid video URL:', content);
           video.textContent = 'Invalid video URL.';
         }
         // above code can be updated for video controls such as autoplay, loop, etc.

From d8013b9140ee8633093b095b5d24a9087e403511 Mon Sep 17 00:00:00 2001
From: Ritwik Srivastava <ritwik@Ritwiks-MacBook-Pro-2.local>
Date: Thu, 10 Oct 2024 09:31:10 +0530
Subject: [PATCH 4/4] Remove innerHtml

---
 blocks/hotspot/hotspot.js | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/blocks/hotspot/hotspot.js b/blocks/hotspot/hotspot.js
index 7f50dc1411..dfbdc1157a 100644
--- a/blocks/hotspot/hotspot.js
+++ b/blocks/hotspot/hotspot.js
@@ -30,17 +30,23 @@ export default function decorate(block) {
           const domainCheck = (domain) => url.hostname.includes(domain);
           const isTrustedDomain = allowedVideoDomains.some(domainCheck);
           if (isTrustedDomain) {
-            video.innerHTML = `
-        <div class="embed-default">
-          <iframe src="${url.href}" allow="encrypted-media" loading="lazy">
-          </iframe>
-        </div>`;
+            const div = document.createElement('div');
+            div.className = 'embed-default';
+
+            const iframe = document.createElement('iframe');
+            iframe.src = url.href;
+            iframe.setAttribute('allow', 'encrypted-media');
+            iframe.setAttribute('loading', 'lazy');
+
+            div.appendChild(iframe);
+            video.appendChild(div);
           } else {
             video.textContent = 'This video source is not allowed.';
             contentContainer.classList.add('bgborder');
           }
         } catch (e) {
           video.textContent = 'Invalid video URL.';
+          contentContainer.classList.add('bgborder');
         }
         // above code can be updated for video controls such as autoplay, loop, etc.
         contentContainer.appendChild(video);