Moderate severityNVD Advisory· Published Apr 7, 2025· Updated Apr 7, 2025
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
CVE-2025-31138
Description
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks. An attacker with high privileges could exploit this vulnerability to overlay malicious UI elements on top of legitimate content, trick users into interacting with hidden elements (clickjacking), or disrupt the intended functionality and accessibility of the website. This vulnerability is fixed in 1.20.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
tarteaucitron.js before 1.20.1 fails to validate user-controlled width/height inputs, allowing CSS injection that can lead to clickjacking.
Vulnerability
Overview
CVE-2025-31138 is a CSS injection vulnerability in tarteaucitron.js, a popular cookie consent banner library, affecting versions prior to 1.20.1. The root cause is insufficient validation of user-controlled input for element dimensions (width and height). The library allowed an attacker with direct access to the site's source code or a CMS plugin to inject arbitrary CSS values, such as 100%;height:100%;position:fixed;, effectively covering the entire viewport [1][4].
Attack
Vector and Prerequisites
Exploitation requires an attacker to have high privileges (e.g., a CMS administrator or direct source code access) because the vulnerable inputs are typically set through site configuration or plugin settings. Once an attacker can control these values, they can inject CSS that overlays the cookie banner or other UI elements across the entire viewport. This does not require additional authentication beyond the privileges to modify the site's code or plugin parameters [1][4].
Potential
Impact
By covering the viewport, the attacker can overlay malicious UI elements on top of legitimate website content, a classic clickjacking technique. This could trick users into clicking on hidden or disguised elements—such as hidden buttons or links—leading to unintended actions like downloading malware, granting permissions, or disclosing sensitive information. Additionally, the injected CSS can disrupt the intended functionality and accessibility of the website, potentially breaking the cookie consent flow or other interactive elements [1][4].
Mitigation
Status
The vulnerability is fixed in version 1.20.1 and later, where the commit 25fcf828aaa55306ddc09cfbac9a6f8f126e2d07 introduces strict validation and sanitization of user-provided CSS values to prevent unintended UI manipulation [3][4]. Users should upgrade to the latest version immediately; no workaround is documented. The fix is also referenced in the GitHub security advisory and the official changelog [2][4].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarteaucitronjsnpm | < 1.20.1 | 1.20.1 |
Affected products
2- AmauriC/tarteaucitron.jsv5Range: < 1.20.1
Patches
125fcf828aaa5Security: Make sure width and height are integer #1313
2 files changed · +57 −57
tarteaucitron.services.js+56 −56 modified@@ -19,7 +19,7 @@ tarteaucitron.services.iframe = { allowfullscreen = tarteaucitron.getElemAttr(x,"allowfullscreen"), url = tarteaucitron.getElemAttr(x,"url"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -655,7 +655,7 @@ tarteaucitron.services.twitch = { height = tarteaucitron.getElemAttr(x, 'height'); var embedURL = "https://player.twitch.tv/?video=" + id + "&parent=" + parent; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"" + embedURL + "\"></iframe>"; }); @@ -820,7 +820,7 @@ tarteaucitron.services.playplay = { var playURL = "https://playplay.com/app/embed-video/" + id; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "border:0;\" src=\"" + playURL + "\" allowfullscreen></iframe>"; }); @@ -1379,7 +1379,7 @@ tarteaucitron.services.videas = { id = tarteaucitron.getElemAttr(x, "data-id"), allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="https://app.videas.fr/embed/' + id + '/" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -1471,7 +1471,7 @@ tarteaucitron.services.doubleclick = { ord = tarteaucitron.getElemAttr(x, "data-ord"), num = tarteaucitron.getElemAttr(x, "data-num"); - return '<iframe title="' + frame_title + '" src="https://'+id1+'.fls.doubleclick.net/activityi;src='+id2+';type='+type+';cat='+cat+';item='+item+';quantity='+quantity+';price='+price+';postage='+postage+';seller='+seller+';gdpr='+gdpr+';gdpr_consent='+gdpr_consent+';num='+num+';ord='+ord+'?" style="width:1;height:1;display:none"></iframe>'; + return '<iframe title="' + frame_title + '" src="https://'+id1+'.fls.doubleclick.net/activityi;src='+id2+';type='+type+';cat='+cat+';item='+item+';quantity='+quantity+';price='+price+';postage='+postage+';seller='+seller+';gdpr='+gdpr+';gdpr_consent='+gdpr_consent+';num='+num+';ord='+ord+'?" style="width:1px;height:1px;display:none"></iframe>'; }); } }; @@ -1844,7 +1844,7 @@ tarteaucitron.services.helloasso = { url = tarteaucitron.getElemAttr(x, "data-url"), allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" id="haWidget" src="' + url + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -1877,7 +1877,7 @@ tarteaucitron.services.podcloud = { url = tarteaucitron.getElemAttr(x, "data-url"), allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -1912,7 +1912,7 @@ tarteaucitron.services.facebookpost = { allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"), showText = tarteaucitron.getElemAttr(x, "data-show-text"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="https://www.facebook.com/plugins/post.php?href=' + encodeURIComponent(url) + '&width=' + width + '&show_text=false&appId=' + appId + '&show_text=' + showText + '&height=' + height + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -2354,7 +2354,7 @@ tarteaucitron.services.calameo = { url = '//v.calameo.com/?bkcode=' + id, allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -2388,7 +2388,7 @@ tarteaucitron.services.calameolibrary = { url = '//v.calameo.com/library/?type=subscription&id=' + id, allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -2633,7 +2633,7 @@ tarteaucitron.services.artetv = { return ""; } - var styleAttr = (width !== "" ? "width:" + video_width + "px;" : "") + (height !== "" ? "height:" + video_height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(video_width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(video_height, 10) + "px;" : ""); video_frame = '<iframe title="' + frame_title + '" style="' + styleAttr + 'transition-duration: 0; transition-property: no; margin: 0 auto; position: relative; display: block; background-color: #000000;" src="https://www.arte.tv/player/v5/index.php?json_url=' + video_json + '" ' + (video_allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; return video_frame; @@ -2678,10 +2678,10 @@ tarteaucitron.services.dailymotion = { return ""; } if (video_width !== "") { - styleAttr += 'width:' + video_width + 'px;'; + styleAttr += 'width:' + parseInt(video_width, 10) + 'px;'; } if (video_height !== undefined) { - styleAttr += 'height:' + video_height + 'px;'; + styleAttr += 'height:' + parseInt(video_height, 10) + 'px;'; } if (embed_type === undefined || !['video', 'playlist'].includes(embed_type)) { embed_type = "video"; @@ -2725,7 +2725,7 @@ tarteaucitron.services.datingaffiliation = { height = tarteaucitron.getElemAttr(x, "height"), url = 'https://www.tools-affil2.com/rotaban/ban.php?' + comfrom; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '&r=' + r + '&p=' + p + '&cf0=' + cf0 + '&langue=' + langue + '&forward_affiliate=' + forward_affiliate + '&cf2=' + cf2 + '&cfsa2=' + cfsa2 + '" style="' + styleAttr + '"></iframe>'; }); @@ -2822,10 +2822,10 @@ tarteaucitron.services.deezer = { return ""; } if (deezer_width !== "") { - styleAttr += 'width:' + deezer_width + 'px;'; + styleAttr += 'width:' + parseInt(deezer_width, 10) + 'px;'; } if (deezer_height !== "") { - styleAttr += 'height:' + deezer_height + 'px;'; + styleAttr += 'height:' + parseInt(deezer_height, 10) + 'px;'; } if (embed_theme === undefined || !['auto', 'light', 'dark'].includes(embed_theme)) { embed_theme = "auto"; @@ -3606,7 +3606,7 @@ tarteaucitron.services.genially = { geniallyid = tarteaucitron.getElemAttr(x, "geniallyid"), allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<div style="position: relative; padding-bottom: 109.00%; padding-top: 0; height: 0;"><iframe style="position: absolute; top: 0; left: 0;' + styleAttr + '" title="' + frame_title + '" src="https://view.genial.ly/' + geniallyid + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe></div>'; }); @@ -3692,7 +3692,7 @@ tarteaucitron.services.googlemapssearch = { query = escape(tarteaucitron.getElemAttr(x, "data-search")), key = tarteaucitron.getElemAttr(x, "data-api-key"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" style="' + styleAttr + 'border:0" src="https://www.google.com/maps/embed/v1/place?q=' + query + '&key=' + key + '" allowfullscreen></iframe> ' }); @@ -3724,7 +3724,7 @@ tarteaucitron.services.googlemapsembed = { height = tarteaucitron.getElemHeight(x), url = tarteaucitron.getElemAttr(x, "data-url"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency allowfullscreen></iframe>'; }); @@ -3757,7 +3757,7 @@ tarteaucitron.services.openstreetmap = { height = tarteaucitron.getElemHeight(x), url = tarteaucitron.getElemAttr(x, "data-url"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowfullscreen></iframe>'; }); @@ -3789,7 +3789,7 @@ tarteaucitron.services.geoportail = { height = tarteaucitron.getElemHeight(x), url = tarteaucitron.getElemAttr(x, "data-url"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" sandbox="allow-forms allow-scripts allow-same-origin" allowfullscreen></iframe>'; }); @@ -3930,10 +3930,10 @@ tarteaucitron.services.instagram = { } if (embed_width !== "") { - styleAttr = 'width:' + embed_width + 'px;'; + styleAttr = 'width:' + parseInt(embed_width, 10) + 'px;'; } if (embed_height !== "") { - styleAttr = 'height:' + embed_height + 'px;'; + styleAttr = 'height:' + parseInt(embed_height, 10) + 'px;'; } post_frame = '<iframe title="' + frame_title + '" src="//www.instagram.com/p/' + post_id + '/embed" style="' + styleAttr + '"></iframe>'; @@ -4186,7 +4186,7 @@ tarteaucitron.services.prezi = { height = tarteaucitron.getElemAttr(x, "height"), url = 'https://prezi.com/embed/' + id + '/?bgcolor=ffffff&lock_to_path=0&autoplay=0&autohide_ctrls=0'; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency allowfullscreen></iframe>'; }); @@ -4474,7 +4474,7 @@ tarteaucitron.services.slideshare = { height = tarteaucitron.getElemAttr(x, "height"), url = '//www.slideshare.net/slideshow/embed_code/key/' + id; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency allowfullscreen></iframe>'; }); @@ -4503,7 +4503,7 @@ tarteaucitron.services.soundcloud = { tarteaucitron.fallback(['soundcloud_player'], function (x) { var frame_title = tarteaucitron.getElemAttr(x, "title") || 'Soundcloud iframe', player_height = tarteaucitron.getElemAttr(x, 'data-height'), - frame_height = 'height:' + player_height + 'px;', + frame_height = 'height:' + parseInt(player_height, 10) + 'px;', playable_id = tarteaucitron.getElemAttr(x, 'data-playable-id'), playable_type = tarteaucitron.getElemAttr(x, 'data-playable-type'), playable_url = tarteaucitron.getElemAttr(x, 'data-playable-url'), @@ -4573,10 +4573,10 @@ tarteaucitron.services.spotify = { return ""; } if (spotify_width !== "") { - styleAttr += 'width:' + spotify_width + 'px;'; + styleAttr += 'width:' + parseInt(spotify_width, 10) + 'px;'; } if (spotify_height !== "") { - styleAttr += 'height:' + spotify_height + 'px;'; + styleAttr += 'height:' + parseInt(spotify_height, 10) + 'px;'; } spotify_frame = '<iframe title="' + frame_title + '" src="//open.spotify.com/embed/' + spotify_id + '" style="' + styleAttr + '" allowfullscreen></iframe>'; return spotify_frame; @@ -4648,7 +4648,7 @@ tarteaucitron.services.timelinejs = { start_zoom = tarteaucitron.getElemAttr(x, "start_zoom"), url = '//cdn.knightlab.com/libs/timeline/latest/embed/index.html?source=' + spreadsheet_id + '&font=' + font + '&maptype=' + map + '&lang=' + lang + '&start_at_end=' + start_at_end + '&hash_bookmark=' + hash_bookmark + '&start_at_slide=' + start_at_slide + '&start_zoom_adjust=' + start_zoom + '&height=' + height; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="' + url + '" style="' + styleAttr + '" allowtransparency allowfullscreen></iframe>'; }); @@ -4905,10 +4905,10 @@ tarteaucitron.services.vimeo = { // attributes if (video_width !== undefined) { - styleAttr += 'width:' + video_width + 'px;'; + styleAttr += 'width:' + parseInt(video_width, 10) + 'px;'; } if (video_height !== undefined) { - styleAttr += 'height:' + video_height + 'px;'; + styleAttr += 'height:' + parseInt(video_height, 10) + 'px;'; } video_frame = '<iframe title="' + frame_title + '" src="//player.vimeo.com/video/' + video_id + video_qs + '" style="' + styleAttr + '" ' + (video_allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; @@ -5192,10 +5192,10 @@ tarteaucitron.services.youtube = { return ""; } if (video_width !== "") { - styleAttr += 'width:' + video_width + 'px;'; + styleAttr += 'width:' + parseInt(video_width, 10) + 'px;'; } if (video_height !== "") { - styleAttr += 'height:' + video_height + 'px;'; + styleAttr += 'height:' + parseInt(video_height, 10) + 'px;'; } if (srcdoc !== undefined && srcdoc !== null && srcdoc !== "") { @@ -5249,10 +5249,10 @@ tarteaucitron.services.youtubeplaylist = { return ""; } if (video_width !== "") { - styleAttr += 'width:' + video_width + 'px;'; + styleAttr += 'width:' + parseInt(video_width, 10) + 'px;'; } if (video_height !== "") { - styleAttr += 'height:' + video_height + 'px;'; + styleAttr += 'height:' + parseInt(video_height, 10) + 'px;'; } video_frame = '<iframe title="' + frame_title + '" style="' + styleAttr + '" src="//www.youtube-nocookie.com/embed/videoseries?list=' + playlist_id + '&' + params + '"' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; return video_frame; @@ -5395,10 +5395,10 @@ tarteaucitron.services.issuu = { return ""; } if (issuu_width !== "") { - styleAttr += 'width:' + issuu_width + 'px;'; + styleAttr += 'width:' + parseInt(issuu_width, 10) + 'px;'; } if (issuu_height !== "") { - styleAttr += 'height:' + issuu_height + 'px;'; + styleAttr += 'height:' + parseInt(issuu_height, 10) + 'px;'; } @@ -5840,10 +5840,10 @@ tarteaucitron.services.matterport = { return ""; } if (matterport_width !== "") { - styleAttr += 'width:' + matterport_width + 'px;'; + styleAttr += 'width:' + parseInt(matterport_width, 10) + 'px;'; } if (matterport_height !== undefined) { - styleAttr += 'height:' + matterport_height + 'px;'; + styleAttr += 'height:' + parseInt(matterport_height, 10) + 'px;'; } if (matterport_parameters === undefined) { return ""; @@ -6113,7 +6113,7 @@ tarteaucitron.services.ausha = { if (color && color.length > 0) src += '&color=' + color.replace('#', '%23'); if (player_id && player_id.length > 0) src += '&playerId=' + player_id; - return '<iframe title="' + frame_title + '" id="' + player_id + '" loading="lazy" style="width:100%;height:' + player_height + 'px;" src="' + src + '"></iframe>'; + return '<iframe title="' + frame_title + '" id="' + player_id + '" loading="lazy" style="width:100%;height:' + parseInt(player_height, 10) + 'px;" src="' + src + '"></iframe>'; }); tarteaucitron.addScript('//player.ausha.co/ausha-player.js', 'ausha-player'); @@ -6174,10 +6174,10 @@ tarteaucitron.services.bandcamp = { } if (bandcamp_width !== "") { - styleAttr += 'width:' + bandcamp_width + 'px;'; + styleAttr += 'width:' + parseInt(bandcamp_width, 10) + 'px;'; } if (bandcamp_height !== "") { - styleAttr += 'height:' + bandcamp_height + 'px;'; + styleAttr += 'height:' + parseInt(bandcamp_height, 10) + 'px;'; } var src = 'https://bandcamp.com/EmbeddedPlayer/album=' + album_id + '/' + params; @@ -6212,7 +6212,7 @@ tarteaucitron.services.discord = { height = tarteaucitron.getElemAttr(x, "height") var widgetURL = "https://discord.com/widget?id=" + id; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"" + widgetURL + "\"></iframe>"; }); @@ -6245,7 +6245,7 @@ tarteaucitron.services.maps_noapi = { height = tarteaucitron.getElemAttr(x, "height") var widgetURL = "https://www.google.com/maps/embed?pb=" + id; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "border:0;\" src=\"" + widgetURL + "\" allowfullscreen loading=\"lazy\"></iframe>"; }); @@ -6297,7 +6297,7 @@ tarteaucitron.services.fculture = { width = tarteaucitron.getElemAttr(x, 'width'), height = tarteaucitron.getElemAttr(x, 'height'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" src=\"https://www.franceculture.fr/player/export-reecouter?content=" + id + "\" style=\"" + styleAttr + "\"></iframe>" }); @@ -6328,7 +6328,7 @@ tarteaucitron.services.acast = { seek = tarteaucitron.getElemAttr(x, 'seek'); var widgetURL = "https://embed.acast.com/" + id + "/" + id2 + "?seek=" + seek; - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" src=\"" + widgetURL + "\" style=\"border: none; overflow: hidden;" + styleAttr + "\"></iframe>"; }); @@ -6359,7 +6359,7 @@ tarteaucitron.services.mixcloud = { width = tarteaucitron.getElemAttr(x, 'width'), height = tarteaucitron.getElemAttr(x, 'height'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"https://www.mixcloud.com/widget/iframe/?hide_cover=" + hidecover + "&mini=" + mini + "&light=" + light + "&feed=" + id + "\"></iframe>"; }); @@ -6387,7 +6387,7 @@ tarteaucitron.services.gagenda = { width = tarteaucitron.getElemAttr(x, 'width'), height = tarteaucitron.getElemAttr(x, 'height'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" loading=\"lazy\" style=\"" + styleAttr + "border-width:0\" src=\"https://www.google.com/calendar/embed?" + calendar_data + "\"></iframe>"; }); @@ -6415,7 +6415,7 @@ tarteaucitron.services.gdocs = { width = tarteaucitron.getElemAttr(x, 'width'), height = tarteaucitron.getElemAttr(x, 'height'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"https://docs.google.com/document/d/e/" + id + "/pub?embedded=true\"></iframe>"; }); @@ -6444,7 +6444,7 @@ tarteaucitron.services.gsheets = { height = tarteaucitron.getElemAttr(x, 'height'), headers = tarteaucitron.getElemAttr(x, 'headers'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"https://docs.google.com/spreadsheets/d/e/" + id + "/pubhtml?widget=true&headers=" + headers + "\"></iframe>"; }); @@ -6475,7 +6475,7 @@ tarteaucitron.services.gslides = { loop = tarteaucitron.getElemAttr(x, 'loop'), delay = tarteaucitron.getElemAttr(x, 'delay'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"https://docs.google.com/presentation/d/e/" + id + "/embed?start=" + autostart + "&loop=" + loop + "&delayms=" + delay + "\" allowfullscreen mozallowfullscreen webkitallowfullscreen></iframe>"; }); @@ -6503,7 +6503,7 @@ tarteaucitron.services.gforms = { width = tarteaucitron.getElemAttr(x, 'width'), height = tarteaucitron.getElemAttr(x, 'height'); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return "<iframe title=\"" + frame_title + "\" style=\"" + styleAttr + "\" src=\"https://docs.google.com/forms/d/e/" + id + "/viewform?embedded=true\"></iframe>"; }); @@ -6651,7 +6651,7 @@ tarteaucitron.services.webtvnu = { width = tarteaucitron.getElemAttr(x, "width"), height = tarteaucitron.getElemAttr(x, "height"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" style="' + styleAttr + '" src="' + frame_url + '" allowfullscreen allow="autoplay"></iframe>'; }); @@ -6700,7 +6700,7 @@ tarteaucitron.services.meteofrance = { insee = tarteaucitron.getElemAttr(x, "data-insee"), allowfullscreen = tarteaucitron.getElemAttr(x, "allowfullscreen"); - var styleAttr = (width !== "" ? "width:" + width + "px;" : "") + (height !== "" ? "height:" + height + "px;" : ""); + var styleAttr = (width !== "" ? "width:" + parseInt(width, 10) + "px;" : "") + (height !== "" ? "height:" + parseInt(height, 10) + "px;" : ""); return '<iframe title="' + frame_title + '" src="https://meteofrance.com/widget/prevision/' + insee + '" style="' + styleAttr + '" allowtransparency ' + (allowfullscreen == '0' ? '' : ' webkitallowfullscreen mozallowfullscreen allowfullscreen') + '></iframe>'; }); @@ -6787,10 +6787,10 @@ tarteaucitron.services.archive = { return ""; } if (video_width !== "") { - styleAttr += 'width:' + video_width + 'px;'; + styleAttr += 'width:' + parseInt(video_width, 10) + 'px;'; } if (video_height !== "") { - styleAttr += 'height:' + video_height + 'px;'; + styleAttr += 'height:' + parseInt(video_height, 10) + 'px;'; } video_frame = '<iframe title="' + frame_title + '" src="https://archive.org/embed/' + video_id + '" style="' + styleAttr + '" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>'; return video_frame;
tarteaucitron.services.min.js+1 −1 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7524-3396-fqv3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31138ghsaADVISORY
- github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07ghsax_refsource_MISCWEB
- github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-7524-3396-fqv3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.