Letting Users Embed Code Safely

Forum Moderators: phranque

Message Too Old, No Replies

Letting Users Embed Code Safely

matthewamzn

3:36 am on Nov 29, 2007 (gmt 0)

I have a forum where people can share youtube videos. I'd like to give them the option of embedding an media content from the big video sharing sites (they all seem to offer embedding code).

My fear is that letting them embed any code isn't safe. Is there a solution to this?

Could I put the embedded code in a javascript to strip out the harmful code?

rocknbil

5:29 am on Nov 29, 2007 (gmt 0)

If someone wants to abuse your forum by pasting malicious code, javascript won't help. They'll just disable javascript.

The best approach is to not "guess" what's bad - just approve only what you know is acceptable. So for example, if you only wanted to allow embedded youtube video, you would seek out patterns that identify a youtube chunk of code and and other attempts at embed you would filter out of the input.

You would want to do this server side, through whatever programming interface your board uses - php, perl, etc.

kolin

2:21 pm on Nov 29, 2007 (gmt 0)

can you not get them to just enter the youtube code as opposed to the whole url? then you can have the site have the youtube player, so they dont have to embed code?

thecoalman

12:33 am on Nov 30, 2007 (gmt 0)

To be fairly safe you would need to create custom bbcodes and have the bbcode parser recognize and apply the correct html tags so the user can't input any html directly.

While on the topic phpbb3 doesn't even allow html out of the box, it does however allow you to create custom bbcodes . The person only has to wrap the youtube bbcode tags around the url and the bbcode parser takes care of the rest. You can create practically any custom bbcodes for the html you want to allow. The inputed data is validated by the bbcode parser to prevent any malicious code.

jtara

2:58 am on Nov 30, 2007 (gmt 0)

Why should the user have to enter any code at all? Am I misunderstanding this?

Since you are limiting this to "the big video sharing sites", why don't you have the user simply plug-in the URL to the video, and then YOU add the necessary embedding code to the page?

You will of course have to carefully check the URL for validity.