Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
My fear is that letting them embed any code isn't safe. Is there a solution to this?
The best approach is to not "guess" what's bad - just approve only what you know is acceptable. So for example, if you only wanted to allow embedded youtube video, you would seek out patterns that identify a youtube chunk of code and and other attempts at embed you would filter out of the input.
You would want to do this server side, through whatever programming interface your board uses - php, perl, etc.
While on the topic phpbb3 doesn't even allow html out of the box, it does however allow you to create custom bbcodes . The person only has to wrap the youtube bbcode tags around the url and the bbcode parser takes care of the rest. You can create practically any custom bbcodes for the html you want to allow. The inputed data is validated by the bbcode parser to prevent any malicious code.
Since you are limiting this to "the big video sharing sites", why don't you have the user simply plug-in the URL to the video, and then YOU add the necessary embedding code to the page?
You will of course have to carefully check the URL for validity.