Review the code base to avoid usage of the unsafe constructs
Created by: yurydelendik
I noticed unsafe constructs are used through out of the code base, e.g. innerHTML assignment. If people started using the player on their website, that could be a cause for potential security risk for them.
For example, you can construct a MPD that could execute an JS code in context of the player: e.g. caption's lang attribute can be modified to have something like <AdaptationSet mimeType="application/ttml+xml" lang="ge<img src='./app/img/if.png' onload='document.body.style.transform = "rotate(15deg)";'>">. See example at http://dashif.org/reference/players/javascript/v1.5.0/samples/dash-if-reference-player/index.html?url=http://async5.org/dash/ED_OnDemand_5SecSeg_Subtitles.mpd
The code review shall take in account https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet (and there are probably some automated tools to do that, e.g. jsprime)
(P.S. not sure how sensitive this report, please edit this content to remove information if needed)