XSS vulnerability in video-embed plugin

[koczkatamas]

Describe the bug
The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which may lead to XSS vulnerability.

Affected source code
The following lines contain the vulnerability:

• lazysizes/plugins/video-embed/ls.video-embed.js

  Line 73 in a2f37ec

  elem.innerHTML = '<iframe src="' + (vimeoIframe.replace(regId, id)) + vimeoParams +'" ' +

• lazysizes/plugins/video-embed/ls.video-embed.js

  Line 98 in a2f37ec

  elem.innerHTML = '<iframe src="' + (youtubeIframe.replace(regId, id)) + youtubeParams +'" ' +

To Reproduce
Open the following file and click on the play button:

<html>
<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/lazysizes/5.2.0/lazysizes.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/lazysizes/5.2.0/plugins/video-embed/ls.video-embed.min.js"></script>
</head>
<body>
    <div class="ratio-16-9 lazyload" data-youtube="M7lc1UVf-VE" data-ytparams="&quot;&gt;&lt;/iframe&gt;&lt;img src=x onerror=alert(1)&gt;">
        <button class="play-btn">play</button>
    </div>    
</body>
</html>

What is the expected behavior
No XSS vulnerability.

What happened instead
alert(1) popup was shown, so the code embedded into the data-ytparams attribute ran.

Similar issues
This was a somewhat similar issue in jQuery UI which was handled as a security vulnerability and also got a CVE: jquery/api.jqueryui.com#281

In what environment (browser/device etc.) does this bug happen/not happen:
Affects all environments, but tested in Chrome 80.0.3987.132 (Official Build) (64-bit) on Windows 10

[ahmedredhat]