Welcome to WebmasterWorld Guest from 54.145.222.231

Forum Moderators: rogerd

Message Too Old, No Replies

How do you allow videos in forum posts

when attempting to sanitize user-submitted content

   
10:13 pm on Sep 30, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Assuming you filter user-submitted content (to prevent scripting attacks and whatnot), how do you then allow your users to post videos from sites like Youtube, Vimeo, etc. in which the "copy and paste" code explicitly contains scripting?
3:30 pm on Oct 3, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You'd have to validate and the what/how depends on the forum software. With phpBB you can create custom BBcodes but you need to be careful you limit it. For example the base URL for a youtube video is:


[youtube.com...]

The BBcode setup in the control panel would look something like this:


[youtube]http://www.youtube.com/watch?v={SIMPLETEXT}[/youtube]

The URL when posted would first have to start with:

[youtube.com...]

{SIMPLETEXT} only allows for "Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore".

If the posted URL doesn't meet that criteria its rejected and parsed as plain text. If it does meet that criteria the second panel allows for replacement which in this case would be the HTML provided by youtube (note I shortened it to keep it simple):


<object width="300" height="200"><param name="movie" value="http://www.youtube.com/v/{SIMPLETEXT}"></object>

The only input you're using from the user is the {SIMPLETEXT} which can only contain the values I listed above. How other forums handle it I don't know and they may require modification.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month