I was wondering if anyone knew of a way to only allow embed codes like ones from youtube, vimeo, blip.tv, etc. into a form field? I have a form on my site that allow users to embed a video but I only want them to add the embed code html and nothing else dangerous like JS or additional html. Is there any tool out there that can do this or can this be done with just a regular expression? Thank you
+1
A:
You can possibly try the sanitize helper at http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html with some tweaks.
Sohan
2009-12-28 19:21:12
The sanitize helper actually worked out nicely. I didn't even know about it! Thanks
CalebHC
2009-12-29 17:11:34
Good to know that it helped!
Sohan
2009-12-29 21:05:05
A:
Caleb, could you share your solution here. I've been trying to use sanitize option with vimeo embed code, but have not been successful so far.
Thanks
Senthil
2010-02-03 04:09:37
This is the code I'm using: <%= sanitize video.embed_code, :tags => %w(embed object param) %>. Pretty simple but it is working well for me. I would soon like to add the ability to remove any extra text in the embed code. So if the user embeds the code with some extra html that the html is stripped along with the text in between the tags. I have to look more into that in the future. Hope this helps
CalebHC
2010-02-03 18:56:39
Thanks...I'm having the same problem with extra text too. I think the easiest way would be to ask users for video id (works if you are accepting video only from one site) and pass it through manually in an customized embed code. This way you can choose the size of the video and remove all those extra text. Not the idea solution, but it works for now.
Senthil
2010-02-04 13:54:15