What XSS/CSRF attacks (if any) to be aware of when allowing video embeds?

Question

I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.).

Having no experience with allowing users to embed video:
How can I best protect against cross site scripting and/or cross site request forgery attacks specifically for video embedding? What are some of the common pitfalls to watch for?

At a minumum I would think to strip all tags except <object>, <param> and <embed>. But I have a feeling this will not be enough, will it?

edit
Also:
Do you think allowing only known video domainnames in the <embed src= and <param name="movie" value= attributes is enough to prevent rogue flash movies from being embedded in those attributes?
/edit

If it is of importance, the environment will be:

• PHP/Zend Framework
• MySQL

Bonuspoints:
Is there a common minimum golden rule/code template for video embed codes that are valid across all video sites that I could use to filter the input?

Answer 1

Why don't you just visit all the sites, save their embed code, and then only allow your users to submit the required site's parameters?

Answer 2

First and most dangerous xss (?) is that flash can read your DOM... Don't embed videos on pages where user can input his/hers login data. Login forms should be separated.

Usually flash embeds uses code that looks similar to:

Youtube:

<object width="425" height="350">
  <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" />
  <param name="wmode" value="transparent" />
  <embed src="http://www.youtube.com/v/AyPzM5WK8ys"
         type="application/x-shockwave-flash"
         wmode="transparent" width="425" height="350" />
</object>

Vimeo:

<object width="400" height="225">
  <param name="allowfullscreen" value="true" />
  <param name="allowscriptaccess" value="always" />
  <param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=10239065&amp;amp;server=vimeo.com&amp;amp;show_title=1&amp;amp;show_byline=1&amp;amp;show_portrait=0&amp;amp;color=&amp;amp;fullscreen=1" />
  <embed src="http://vimeo.com/moogaloop.swf?clip_id=10239065&amp;amp;server=vimeo.com&amp;amp;show_title=1&amp;amp;show_byline=1&amp;amp;show_portrait=0&amp;amp;color=&amp;amp;fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="225"></embed>
</object>
<p><a href="http://vimeo.com/10239065"&gt;La Fete (HD - 2010)</a> from <a href="http://vimeo.com/animalcolm"&gt;Malcolm Sutherland</a> on <a href="http://vimeo.com"&gt;Vimeo&lt;/a&gt;.&lt;/p&gt;

Metacafe:

<embed src="http://www.metacafe.com/fplayer/4317045/bmx_face_slide.swf" width="400" height="345" wmode="transparent" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" allowFullScreen="true" allowScriptAccess="always" name="Metacafe_4317045"> </embed>
<br><font size = 1><a href="http://www.metacafe.com/watch/4317045/bmx_face_slide/"&gt;BMX Face Slide</a> - <a href="http://www.metacafe.com/"&gt;Free videos are just a click away</a></font>

Best solution for enabling embeded content is to strip tags with exception for embed, param, object and list of attributes from the the samples that can be used.

Remember, some attributes can run javascript code as well as anchor's href...

Edit: Allowing only trusted sites in src and param's value attribute is kinda good way to prevent hAx0rs from doing bad things but it's not flawles. Another big thing: read more about allowScriptAccess. Its a Param's attribute you should remove or set to sameDomain / never. It will prevent SWF from running javascript :)