feat(markdown): support embedding YouTube and Kaltura videos via link-interception#5147
feat(markdown): support embedding YouTube and Kaltura videos via link-interception#5147rschlaefli wants to merge 11 commits into
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Confidence Score: 4/5This is close, but the remaining host check should be fixed before merging.
packages/markdown/src/VideoEmbed.tsx
|
| Filename | Overview |
|---|---|
| packages/markdown/src/VideoEmbed.tsx | Adds video parsing helpers and iframe rendering, with one remaining short-domain host validation issue. |
| packages/markdown/src/Markdown.tsx | Adds video link interception and preserves anchor props for regular links. |
| packages/markdown/test/VideoEmbed.test.ts | Adds parser coverage for accepted video URLs and several rejected URL shapes. |
| packages/markdown/package.json | Adds Vitest and a package test script. |
Reviews (10): Last reviewed commit: "test(markdown): add unit tests for Video..." | Re-trigger Greptile
…ety, a11y, and property forwarding
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 1509424 | Triggered | Generic Password | 14d3f11 | .devcontainer/docker-compose.yml | View secret |
| 1509424 | Triggered | Generic Password | 14d3f11 | .devrouter.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
…o regex in getYoutubeId
…pport # Conflicts: # .github/scripts/get-shard-files.js
…inal review fixes
| host === 'youtube.com' || | ||
| host.endsWith('.youtube.com') || | ||
| host === 'youtu.be' || | ||
| host.endsWith('.youtu.be') |
There was a problem hiding this comment.
host.endsWith('youtu.be') still accepts lookalike registrable domains such as attackyoutu.be. A labeled link like [video](https://attackyoutu.be/dQw4w9WgXcQ) passes this branch, extracts the path as a video id, and renders an embed even though the source link was not from youtu.be or one of its subdomains. Require the same exact-host or dot-boundary check used for the other allowed hosts.
Description
Supports embedding videos from controlled sources (YouTube and UZH Kaltura/SWITCHcast) in Markdown fields by intercepting links labeled as
videoorembed.For Kaltura, we use the SWITCHcast PlaykitJs embed endpoint to bypass the frame-based login loop entirely.
This implementation has been fully audited using
droidrunning GLM 5.2 for security, accessibility (WCAG), type safety, and property-forwarding correctness.Proposed Changes
getYoutubeId,getKalturaId,getKalturaPartnerId,getKalturaUiConfId).kaltura.com,*.kaltura.com,cast.switch.ch,*.cast.switch.ch) and strict character set validation for YouTube IDs (^[a-zA-Z0-9_-]{11}$).VideoEmbedReact component rendering a responsive iframe with a screen-readertitleand performance-optimizingloading="lazy".aanchor renderer inrehypeReactto render the embedded player when matching video URLs are encountered.[video ](url).target,rel,...rest) to preserve existing link-processing configurations likerehype-external-links.Manual Verification / How to Test
[video](https://www.youtube.com/watch?v=dQw4w9WgXcQ). It should render a responsive player wrapper with the YouTube iframe.[video](https://uzh.mediaspace.cast.switch.ch/media/10+Untersuchung+Kopf+beim+Hund/0_ipqc15ga/124135). It should resolve the entryId and successfully render the Kaltura playkit login-bypass player iframe.[video](https://uzh.mediaspace.cast.switch.ch/embed/secure/iframe/entryId/0_um01ms1s/uiConfId/23449004/st/0). It should preserve the correct uiConfId and render the playkit player.[Link to YouTube](https://www.youtube.com/watch?v=dQw4w9WgXcQ), continue to render as regular hyperlinks with original properties (e.g.target="_blank").