Fixes risks outline in #4600 by verifying that any src urls are valid
youtube URLs before rendering as HTML. My thoughts are that this attack
vector would be difficult to use because the attacker would have to have
a way to manipualte the TipTap payload in a manner that bypasses the
youtube extension's `setYoutubeVideo` command, which already checks for
valid URLs.
Youtube uses /shorts/ for their shorts video. The /embed url works with these id's, the regex did not support them though.
This updates the videoId regex to also support the /shorts/ urls.
* Fixed allowFullscreen not working correctly. Added autoplay and progress bar color parameters
* Added cc language preference, cc load policy, disable keyboard controls, end time and interface language parameters
* Added enable IFrame API, iv load policy, loop, modest branding, origin and playlist parameters
* Updated the youtube extension documentation
Co-authored-by: luis.feliu <luis.feliu@mentormate.com>
