homepage Welcome to WebmasterWorld Guest from 54.211.230.186
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Letting Users Embed Code Safely
matthewamzn

5+ Year Member



 
Msg#: 3515844 posted 3:36 am on Nov 29, 2007 (gmt 0)

I have a forum where people can share youtube videos. I'd like to give them the option of embedding an media content from the big video sharing sites (they all seem to offer embedding code).

My fear is that letting them embed any code isn't safe. Is there a solution to this?

Could I put the embedded code in a javascript to strip out the harmful code?

 

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3515844 posted 5:29 am on Nov 29, 2007 (gmt 0)

If someone wants to abuse your forum by pasting malicious code, javascript won't help. They'll just disable javascript.

The best approach is to not "guess" what's bad - just approve only what you know is acceptable. So for example, if you only wanted to allow embedded youtube video, you would seek out patterns that identify a youtube chunk of code and and other attempts at embed you would filter out of the input.

You would want to do this server side, through whatever programming interface your board uses - php, perl, etc.

kolin

5+ Year Member



 
Msg#: 3515844 posted 2:21 pm on Nov 29, 2007 (gmt 0)

can you not get them to just enter the youtube code as opposed to the whole url? then you can have the site have the youtube player, so they dont have to embed code?

thecoalman

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3515844 posted 12:33 am on Nov 30, 2007 (gmt 0)

To be fairly safe you would need to create custom bbcodes and have the bbcode parser recognize and apply the correct html tags so the user can't input any html directly.

While on the topic phpbb3 doesn't even allow html out of the box, it does however allow you to create custom bbcodes . The person only has to wrap the youtube bbcode tags around the url and the bbcode parser takes care of the rest. You can create practically any custom bbcodes for the html you want to allow. The inputed data is validated by the bbcode parser to prevent any malicious code.

jtara

WebmasterWorld Senior Member jtara us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3515844 posted 2:58 am on Nov 30, 2007 (gmt 0)

Why should the user have to enter any code at all? Am I misunderstanding this?

Since you are limiting this to "the big video sharing sites", why don't you have the user simply plug-in the URL to the video, and then YOU add the necessary embedding code to the page?

You will of course have to carefully check the URL for validity.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved