views:

13

answers:

1

I am allowing users to embed videos on their page, but just in case I want to filter the output. To present the video I retrieve the embed statement from the database but when it is filtered, it is presented in raw code. Is there a video friendly way to filter something like this or does anyone have any suggestions on a different way to do it? Thanks in advance for any advice.

while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
$video= htmlspecialchars( $row['video'], ENT_NOQUOTES, 'UTF-8' );
}

echo "$video";

In the database, the video will look like this for example

    <object width="464" height="368" id="669545" type="application/x-shockwave-flash" 
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" alt="Aqua Teen Hunger Force - Hand Banana Funny 
 Videos"><param name="movie" value="http://embed.break.com/NjY5NTQ1"&gt;&lt;/param&gt;&lt;param 
name="allowScriptAccess" value="always"></param><embed src="http://embed.break.com/NjY5NTQ1" 
type="application/x-shockwave-flash" allowScriptAccess=always width="464" height="368"></embed></
object><br><font size=1><a href="http://www.break.com/usercontent/2009/2/Aqua-Teen-Hunger-Force-Hand-
Banana-669545.html" target="_blank">Aqua Teen Hunger Force - Hand Banana</a> - Watch more <a href="http://
www.break.com" target="_blank">Funny  Videos</a></font>
+1  A: 

In general you should be htmlspecialchars()ing user-input at the point you insert it into HTML. But in this case you already have HTML, so there's nothing much you can do.

You can't usefully filter embedded plugins. If you are allowing users to specify an arbitrary Flash file or other plugin, you have already effectively given them free cross-site-scripting access into your security context, and no amount of string sanitisation will fix that.

If you really need to allow users to submit arbitrary Flash or other <object>/<embed> code, you will need to host that untrusted code in a separate security context. Typically, you put the main site on www.example.com, and include an <iframe> to stuff.example.com which spits out the untrusted <object> code. Then when the plugin code tries to do something hostile, at least it can only affect stuff.example.com and not any of your real webapp on www.example.com.

Alternatively, you could only allow users to post video content from providers you trust, eg. youtube.com. You then just let them submit a YouTube video ID, and build up the <object> code yourself to point to the URL for that ID.

bobince
I like the third alternative, but what if they post flash or javascript content into the text area anyway, will htmlspecialchars prevent that malicious code from being executed, if you filter the output? Are there any other ways from filtering/preventing Cross-site-scripting attacks?
Scarface
Yes, if they type `<script>` into an input and you `htmlspecialchars()` that value into the page on the way out, they will see the literal text `<script>` and not an actual script tag. There are other approaches, like HTML-escaping/filtering the input data before it goes in the database, and lots of people do this, sadly... the technical term for these approaches is “broken”. Just make sure when you create your HTML output that every piece of plain text, whether it was sourced from user input, the database, or elsewhere, is `htmlspecialchars()`ed before being inserting into HTML.
bobince
(You may want to create a helper function with a short name like `h()` that does `echo htmlspecialchars` so you don't have to type out `<?php echo htmlspecialchars($value); ?>` quite so much...)
bobince
thats a great idea lol, I was indeed using htmlspecialchars a lot, and thanks for your insight, appreciate it bobince
Scarface