views:

64

answers:

3

Hi,

I have a php application in which we allow every user to have a "public page" which shows their linked video. We are having an input textbox where they can specify the embed video's html code. The problem we're running into is that if we take that input and directly display it on the page as it is, all sorts of scripts can be inserted here leading into a very insecure system.

We want to allow embed code from all sites, but since they differ in how they're structured, it becomes difficult to keep tabs on how each one is structured.

What are the approaches folks have taken to tackle this scenario? Are there third-party scripts that do this for you?

A: 

The best approach would be to have a white list tag that are allowed and remove everything else. It would also be necessary to filter all the attribute of those tag to remove the "onsomething" attribute.

In order to do a proper parsing, you need to use a XML parser. XMLReader and XMLWriter would works nicely to do that. You read the data from XMLReader, if the tag is in the white list, you write it in the XMLWriter. At the end of the process, you have your parsed data in the XMLWritter.

A code example of this would be this script. It has in the white list the tag test and video. If you give it the following input :

<z><test attr="test"></test><img />random text<video onclick="evilJavascript"><test></test></video></z>

It will output this :

<div><test attr="test"></test>random text<video><test></test></video></div>
HoLyVieR
A: 

I would have the users input the URL to the video. From there you can insert the proper code yourself. It's easier for them and safer for you.

If you encounter an unknown URL, just log it, and add the code needed to support it.

konforce
The problem is that all these sites generate html that are intended for the users to copy/paste - and we're asking for that from our users. It would be too confusing for them if we ask them to copy paste the web links directly
matt_tm
You could easily accept either. The embed code would also contain the URL/id of the video.
konforce
thats actually a very interesting idea... i dont think i can use it for the current project, but something to keep in mind for later...
matt_tm
+1  A: 

Consider using some sort of pseudo-template which takes advantage of oEmbed. oEmbed is a safe way to link to a video (as the content authority, you're not allowing direct embed, but rather references to embeddable content).

For example, you might write a parser that searches for something like:

[embed]http://oembed.link/goes/here[/embed]

You could then use one of the many PHP oEmbed libraries to request the resource from the provided link and replace the pseudo-embed code with the real embed code.

Hope this helps.

mattbasta