From 33f99ce4a2f3d76b3d1e9549947e40ef83c5797e Mon Sep 17 00:00:00 2001 From: Anton Tranelis Date: Wed, 14 Jan 2026 15:42:42 +0100 Subject: [PATCH] fix(VideoEmbed): resolve lint errors - Replace deprecated frameBorder with style={{ border: 'none' }} - Fix unsafe regex patterns to prevent ReDoS vulnerabilities - Anchor patterns with ^ for exact matching - Use fixed-length YouTube video IDs (11 chars) - Add proper terminators for URL parsing Co-Authored-By: Claude Opus 4.5 --- lib/src/Components/TipTap/extensions/VideoEmbed.tsx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/src/Components/TipTap/extensions/VideoEmbed.tsx b/lib/src/Components/TipTap/extensions/VideoEmbed.tsx index 3a2594e1..30207d7c 100644 --- a/lib/src/Components/TipTap/extensions/VideoEmbed.tsx +++ b/lib/src/Components/TipTap/extensions/VideoEmbed.tsx @@ -5,9 +5,10 @@ import { NodeViewWrapper, ReactNodeViewRenderer } from '@tiptap/react' import type { NodeViewProps } from '@tiptap/react' // Regex patterns for video URL detection -const YOUTUBE_REGEX = /(?:https?:\/\/)?(?:www\.)?youtube\.com\/watch\?v=([a-zA-Z0-9_-]+)/ -const YOUTUBE_SHORT_REGEX = /(?:https?:\/\/)?youtu\.be\/([a-zA-Z0-9_-]+)/ -const RUMBLE_REGEX = /(?:https?:\/\/)?rumble\.com\/embed\/([a-zA-Z0-9_-]+)/ +// Using possessive-like patterns with specific character classes to avoid ReDoS +const YOUTUBE_REGEX = /^https?:\/\/(?:www\.)?youtube\.com\/watch\?v=([a-zA-Z0-9_-]{11})(?:&|$)/ +const YOUTUBE_SHORT_REGEX = /^https?:\/\/youtu\.be\/([a-zA-Z0-9_-]{11})(?:\?|$)/ +const RUMBLE_REGEX = /^https?:\/\/rumble\.com\/embed\/([a-zA-Z0-9]+)(?:\/|$)/ /** * Extracts video provider and ID from a URL @@ -190,7 +191,7 @@ function VideoEmbedComponent({ node }: NodeViewProps) { allowFullScreen allow='fullscreen; picture-in-picture' className='video-embed' - frameBorder='0' + style={{ border: 'none' }} />