XSS in Vimeo video ID

Problem/Motivation

The 7.x-2.x version of the module does not have a stable release, therefore I'm reporting this minor security issue in public.

This module has an XSS vulnerability. The module does not sanitize the video ID field that is returned from the Vimeo API and prints it to HTML without sanitization. This vulnerability is mitigated by the fact that an attacker would have to either
1) compromise the Vimeo service that returns the data or
2) Perform a man in the middle attack on the unencrypted request that the Drupal site is sending to Vimeo.

The Drupal 8 version of this module is not affected.

Steps to reproduce

You can see this vulnerability by:
1. Enabling the module
2. As an admin add a video embed field to a content type
3. Add a node with the video field set to a vimeo URL, for example https://vimeo.com/1084537
4. Simulate a man in the middle attack by injecting malicious content for the video_id with a patch like this:

diff --git a/video_embed_field.handlers.inc b/video_embed_field.handlers.inc
index 1962008..93ec7cf 100644
--- a/video_embed_field.handlers.inc
+++ b/video_embed_field.handlers.inc
@@ -460,7 +460,9 @@ function _video_embed_field_get_vimeo_data($url) {
   $response = drupal_http_request($oembed_endpoint . '.json?url=' . rawurlencode($url));
 
   try {
-    return json_decode($response->data, TRUE);
+    $result = json_decode($response->data, TRUE);
+    $result['video_id'] = '0"></iframe><script>alert("XSS");</script>';
+    return $result;
   } catch (Exception $e) {
     return FALSE;
   }

5. Visit the node page and see the malicious script being executed.

Proposed resolution

Run check_plain() on the Vimeo video ID the same way as it is done for Youtube in _video_embed_field_get_youtube_id().

Remaining tasks

Review the patch.