myetv-player 1.0.0 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/.github/workflows/codeql.yml +100 -0
  2. package/README.md +36 -58
  3. package/SECURITY.md +50 -0
  4. package/css/myetv-player.css +301 -218
  5. package/css/myetv-player.min.css +1 -1
  6. package/dist/myetv-player.js +1713 -1503
  7. package/dist/myetv-player.min.js +1670 -1471
  8. package/package.json +6 -1
  9. package/plugins/README.md +1016 -0
  10. package/plugins/cloudflare/README.md +1068 -0
  11. package/plugins/cloudflare/myetv-player-cloudflare-stream-plugin.js +556 -0
  12. package/plugins/facebook/README.md +1024 -0
  13. package/plugins/facebook/myetv-player-facebook-plugin.js +437 -0
  14. package/plugins/gamepad-remote-controller/README.md +816 -0
  15. package/plugins/gamepad-remote-controller/myetv-player-gamepad-remote-plugin.js +678 -0
  16. package/plugins/google-adsense-ads/README.md +1 -0
  17. package/plugins/google-adsense-ads/g-adsense-ads-plugin.js +158 -0
  18. package/plugins/google-ima-ads/README.md +1 -0
  19. package/plugins/google-ima-ads/g-ima-ads-plugin.js +355 -0
  20. package/plugins/twitch/README.md +1185 -0
  21. package/plugins/twitch/myetv-player-twitch-plugin.js +569 -0
  22. package/plugins/vast-vpaid-ads/README.md +1 -0
  23. package/plugins/vast-vpaid-ads/vast-vpaid-ads-plugin.js +346 -0
  24. package/plugins/vimeo/README.md +1416 -0
  25. package/plugins/vimeo/myetv-player-vimeo.js +640 -0
  26. package/plugins/youtube/README.md +851 -0
  27. package/plugins/youtube/myetv-player-youtube-plugin.js +1714 -210
  28. package/scss/README.md +160 -0
  29. package/scss/_menus.scss +840 -672
  30. package/scss/_responsive.scss +67 -105
  31. package/scss/_volume.scss +67 -105
  32. package/src/README.md +559 -0
  33. package/src/controls.js +16 -4
  34. package/src/core.js +1192 -1062
  35. package/src/i18n.js +27 -1
  36. package/src/quality.js +478 -436
  37. package/src/subtitles.js +2 -2
package/src/i18n.js CHANGED
@@ -284,14 +284,40 @@ class VideoPlayerI18n {
284
284
  // Add new translations
285
285
  addTranslations(lang, translations) {
286
286
  try {
287
+ // SECURITY: Prevent prototype pollution by validating lang parameter
288
+ if (!this.isValidLanguageKey(lang)) {
289
+ console.warn('Invalid language key rejected:', lang);
290
+ return;
291
+ }
292
+
287
293
  if (!this.translations[lang]) {
288
294
  this.translations[lang] = {};
289
295
  }
290
- Object.assign(this.translations[lang], translations);
296
+
297
+ // SECURITY: Only copy safe properties from translations object
298
+ for (const key in translations) {
299
+ if (translations.hasOwnProperty(key) && this.isValidLanguageKey(key)) {
300
+ this.translations[lang][key] = translations[key];
301
+ }
302
+ }
291
303
  } catch (error) {
292
304
  console.warn('Error adding translations:', error);
293
305
  }
294
306
  }
307
+
308
+ // SECURITY: Validate that a key is safe (not a prototype polluting key)
309
+ isValidLanguageKey(key) {
310
+ if (typeof key !== 'string') return false;
311
+
312
+ // Reject dangerous prototype-polluting keys
313
+ const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
314
+ if (dangerousKeys.includes(key.toLowerCase())) {
315
+ return false;
316
+ }
317
+
318
+ // Accept only alphanumeric keys with underscore/dash (e.g., 'en', 'it', 'play_pause')
319
+ return /^[a-zA-Z0-9_-]+$/.test(key);
320
+ }
295
321
  }
296
322
 
297
323
  // Safe initialization with error handling