Hello,
I'm playing with ways to allow users to insert embedded objects safely into content. What I'm doing now is essentially the following:
1) parser for youtube embed code 2) get video id, remove all other embed code 3) rebuild youtube embed code with video id
This seems to work pretty well, and should be safe. Problem, I'd essentially have to whitelist any other sites I want to allow embeds from, so difficult to scale.
How are any of you approaching this problem?
Also, curious, I checked out Blogger.com, to see what they allow. I was surprised to see that they allow arbitrary javascript in their content posts. How is this not a potential security risk?
(I'm using php, but shouldn't matter!)
Thanks!