Is it possible to filter video embed with htmlspecialchars()

Question

I am allowing users to embed videos on their page, but just in case I want to filter the output. To present the video I retrieve the embed statement from the database but when it is filtered, it is presented in raw code. Is there a video friendly way to filter something like this or does anyone have any suggestions on a different way to do it? Thanks in advance for any advice.

while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
$video= htmlspecialchars( $row['video'], ENT_NOQUOTES, 'UTF-8' );
}

echo "$video";

In the database, the video will look like this for example

    <object width="464" height="368" id="669545" type="application/x-shockwave-flash" 
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" alt="Aqua Teen Hunger Force - Hand Banana Funny 
 Videos"><param name="movie" value="http://embed.break.com/NjY5NTQ1"&gt;&lt;/param&gt;&lt;param 
name="allowScriptAccess" value="always"></param><embed src="http://embed.break.com/NjY5NTQ1" 
type="application/x-shockwave-flash" allowScriptAccess=always width="464" height="368"></embed></
object><br><font size=1><a href="http://www.break.com/usercontent/2009/2/Aqua-Teen-Hunger-Force-Hand-
Banana-669545.html" target="_blank">Aqua Teen Hunger Force - Hand Banana</a> - Watch more <a href="http://
www.break.com" target="_blank">Funny  Videos</a></font>

Answer 1

In general you should be htmlspecialchars()ing user-input at the point you insert it into HTML. But in this case you already have HTML, so there's nothing much you can do.

You can't usefully filter embedded plugins. If you are allowing users to specify an arbitrary Flash file or other plugin, you have already effectively given them free cross-site-scripting access into your security context, and no amount of string sanitisation will fix that.

If you really need to allow users to submit arbitrary Flash or other <object>/<embed> code, you will need to host that untrusted code in a separate security context. Typically, you put the main site on www.example.com, and include an <iframe> to stuff.example.com which spits out the untrusted <object> code. Then when the plugin code tries to do something hostile, at least it can only affect stuff.example.com and not any of your real webapp on www.example.com.

Alternatively, you could only allow users to post video content from providers you trust, eg. youtube.com. You then just let them submit a YouTube video ID, and build up the <object> code yourself to point to the URL for that ID.