homepage Welcome to WebmasterWorld Guest from 50.17.162.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Letting Users Embed Code Safely
matthewamzn




msg:3515846
 3:36 am on Nov 29, 2007 (gmt 0)

I have a forum where people can share youtube videos. I'd like to give them the option of embedding an media content from the big video sharing sites (they all seem to offer embedding code).

My fear is that letting them embed any code isn't safe. Is there a solution to this?

Could I put the embedded code in a javascript to strip out the harmful code?

 

rocknbil




msg:3515881
 5:29 am on Nov 29, 2007 (gmt 0)

If someone wants to abuse your forum by pasting malicious code, javascript won't help. They'll just disable javascript.

The best approach is to not "guess" what's bad - just approve only what you know is acceptable. So for example, if you only wanted to allow embedded youtube video, you would seek out patterns that identify a youtube chunk of code and and other attempts at embed you would filter out of the input.

You would want to do this server side, through whatever programming interface your board uses - php, perl, etc.

kolin




msg:3516175
 2:21 pm on Nov 29, 2007 (gmt 0)

can you not get them to just enter the youtube code as opposed to the whole url? then you can have the site have the youtube player, so they dont have to embed code?

thecoalman




msg:3516728
 12:33 am on Nov 30, 2007 (gmt 0)

To be fairly safe you would need to create custom bbcodes and have the bbcode parser recognize and apply the correct html tags so the user can't input any html directly.

While on the topic phpbb3 doesn't even allow html out of the box, it does however allow you to create custom bbcodes . The person only has to wrap the youtube bbcode tags around the url and the bbcode parser takes care of the rest. You can create practically any custom bbcodes for the html you want to allow. The inputed data is validated by the bbcode parser to prevent any malicious code.

jtara




msg:3516813
 2:58 am on Nov 30, 2007 (gmt 0)

Why should the user have to enter any code at all? Am I misunderstanding this?

Since you are limiting this to "the big video sharing sites", why don't you have the user simply plug-in the URL to the video, and then YOU add the necessary embedding code to the page?

You will of course have to carefully check the URL for validity.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved