If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width
attribute that would allow them to execute arbitrary JS on the page.
(Other attributes like theme
or controls
are also vulnerable to this.)
<!DOCTYPE html>
<html lang="en">
<head>
<title>TAC XSS</title>
<script src="tarteaucitron.js"></script>
<script>
(tarteaucitron.job = tarteaucitron.job || []).push('youtube');
tarteaucitron.init({ readmoreLink: '/foo', orientation: 'bottom' });
</script>
</head>
<body>
<div></div>
</body>
</html>
The srcdoc
attribute can also be used for this (and should probably not be allowed):
<div></div>