tags:

views:

64

answers:

3
+2  Q: 

How do I allow video embed html safely on a site?

Hi,

I have a php application in which we allow every user to have a "public page" which shows their linked video. We are having an input textbox where they can specify the embed video's html code. The problem we're running into is that if we take that input and directly display it on the page as it is, all sorts of scripts can be inserted here leading into a very insecure system.

We want to allow embed code from all sites, but since they differ in how they're structured, it becomes difficult to keep tabs on how each one is structured.

What are the approaches folks have taken to tackle this scenario? Are there third-party scripts that do this for you?

A: 

The best approach would be to have a white list tag that are allowed and remove everything else. It would also be necessary to filter all the attribute of those tag to remove the "onsomething" attribute.

In order to do a proper parsing, you need to use a XML parser. XMLReader and XMLWriter would works nicely to do that. You read the data from XMLReader, if the tag is in the white list, you write it in the XMLWriter. At the end of the process, you have your parsed data in the XMLWritter.

A code example of this would be this script. It has in the white list the tag test and video. If you give it the following input :

<z><test attr="test"></test><img />random text<video onclick="evilJavascript"><test></test></video></z>

It will output this :

<div><test attr="test"></test>random text<video><test></test></video></div>
HoLyVieR  2010-09-23 02:28:08
A: 

I would have the users input the URL to the video. From there you can insert the proper code yourself. It's easier for them and safer for you.

If you encounter an unknown URL, just log it, and add the code needed to support it.

konforce  2010-09-23 02:35:52
The problem is that all these sites generate html that are intended for the users to copy/paste - and we're asking for that from our users. It would be too confusing for them if we ask them to copy paste the web links directly
matt_tm  2010-09-23 05:12:17
You could easily accept either. The embed code would also contain the URL/id of the video.
konforce  2010-09-23 07:37:32
thats actually a very interesting idea... i dont think i can use it for the current project, but something to keep in mind for later...
matt_tm  2010-09-23 13:12:36
+1  A: 

Consider using some sort of pseudo-template which takes advantage of oEmbed. oEmbed is a safe way to link to a video (as the content authority, you're not allowing direct embed, but rather references to embeddable content).

For example, you might write a parser that searches for something like:

[embed]http://oembed.link/goes/here[/embed]

You could then use one of the many PHP oEmbed libraries to request the resource from the provided link and replace the pseudo-embed code with the real embed code.

Hope this helps.

mattbasta  2010-09-23 03:04:36

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases