All geek questions in one place

How to enable html embed video safely on site?

I have a php application in which we allow each user to have a “public page” that displays a related video. We have an input text box where they can indicate the html video embed code. The problem we are facing is that if we take this input and immediately show it on the page as it is, all kinds of scripts can be inserted here, leading to a very unsafe system.

We want to allow embed code from all sites, but since they differ in how they are structured, it becomes difficult to keep track of how each of them is structured.

What are the approaches that people have taken to address this scenario? Are there any third-party scripts that do this for you?

+3
source share
3 answers

Consider using a kind of pseudo-template that uses oEmbed . oEmbed is a safe way to link to videos (as the authority of the content, you do not allow direct embedding, but rather links to embedded content).

For example, you can write a parser that is looking for something like:

[embed]http://oembed.link/goes/here[/embed]

Then you can use one of the many PHP OEmbed libraries to request a resource from the provided link and replace the pseudo embed code with real embed code.

Hope this helps.

+1
source

, . , "onsomething".

, XML. XMLReader XMLWriter . XMLReader, , XMLWriter. XMLWritter.

script. test video. :

<z><test attr="test"></test><img />random text<video onclick="evilJavascript"><test></test></video></z>

:

<div><test attr="test"></test>random text<video><test></test></video></div>
0

, URL- . . .

If you encounter an unknown URL, simply register it and add the code necessary to support it.

0
source

Source: https://habr.com/ru/post/1766114/

More articles:


All Articles