this is most probably something very simple so please excuse me.
i have a variable $postVideo and within in variable is the entire embed code for a you tube link:
<iframe width="420" height="315"
src="//www.youtube.com/embed/UF-6M06lPZo"
frameborder="0" allowfullscreen></iframe>
now when i do echo $postVideo; it does not display the you tube video it shows the code on my page and in view source its printing this:
<iframe width="420"
height="315"
src="//www.youtube.com/embed/UF-6M06lPZo" frameborder="0"
allowfullscreen></iframe>
now i know i can have the user put in the youtube ID and i do it that way, but the users in my CMS may add multiple Video's from multiple sources so wanted them to just add the embed code supplied.
so i suppose the question is how do i print it without the special char so it acts like it should.
thank you in advance.
PS don't watch the video if you are offended by bad language (its just a random one from yourtube)
It looks like your CMS is automatically converting HTML entities for you to prevent XSS attacks. You just need to perform the opposite conversion using html_entity_decode(). Like this:
echo html_entity_decode($postVideo);
Though, you should keep in mind you will be outputting any arbitrary HTML the user entered onto the page. This could present a security issue if the user enters some kind of malicious script.
Related
I am trying to remove ads from a live stream with jQuery. (I know this has been asked before, but it seems to be different in this case than in the other cases when this question has been asked some time ago.) In detail:
The iframe part of my page looks like this:
<iframe id="iframe" width="100%" height="360" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" allowfullscreen="yes" src="https://daddyhd.com/embed/stream-61.php"></iframe>
The PHP script (stream-61.php) loads the actual live stream (in a second iframe with id #thatframe). The problem is that the PHP script also loads a bunch of ads and scripts that continually load more ads. Plus, the second iframe can only be accessed from the server where is it stored (X-Frame-Options: SAMEORIGIN is set), so I cannot load it direct on my page.
After looking at the resulting HTML code from stream-61.php, I tried to use jQuery to .remove() all tags except the second iframe (#thatframe) with the actual live stream. It works on my computer, when I make up two iframes with my own div and script tags. But it does not work with the URL I gave above.
Any help or hint would be greatly appreciated.
OK, so I have this fully working PHP script, available HERE and the results should be shown in an iframe HERE under section "Best Results". But they are not.
However they are shown if I am viewing the page signed in as admin, but I frame is invisible to normal visitors. Why is that so? How can I solve that?
EDIT:
I am using Elementor to set up the page and Custom HTML widget element with the following code:
<iframe src="/zan/fai_pilot.php?p=4385" frameborder="0" width="100%" scrolling="yes" height="440">
</iframe>
When I load your outer page, i don't see an iframe tag in the Best Results section. So that leads me to believe if you're seeing it when logged in as admin, there is something in your Elementor config regarding roles/permissions you need to change.
The answer: Don't use "Custom HTML" element from the Elementor, use "Text Editor" element instead.
I searched around a bit before asking this, but couldn't find anything really relevant:
My problem is as follows: I'm creating (with php) an automated email that sends to a user the html code for an iframe that he has to embed in his website. But here's what happens:
The code i create (simplified in order to contain only the src tag) is like
<iframe src="http://blabla.php?arg1=xx&arg2=yy"></iframe>
I then place the code in a textarea tag.
But when the email arrives, my code has an extra anchor tag which I never placed, as follows:
<iframe src="http://blabla.php?arg1=xx&arg2=yy</iframe>
Any ideas why this happens and how I can get rid of it? Thanks.
Hey,
I own http://ilikeyou.tk/ which is a facebook like website.
Basically, users can add a phrase and/or a photo and like it on facebook.
Recently, when I tested a few stuff I found out that when I insert </
in the text box and create the page, it messes up with the like list.
(You can try posting </ and going back to homepage, scroll down to 'Recent Like' and watch it)
In sites like twitter and facebook, this stuff never happen.. so there might be a solution..
Any suggestions?
P.S;
Also, when i try to insert the photo link (http://profile.ak.fbcdn.net/hprofile-ak-snc4/188178_139794909415037_3755895_n.jpg) the whole index page goes down (I can still go to like pages like ilikeyou.tk/1/ but cant access ilikeyou.tk ... ).
When deleting the link from the database its all working fine again.
P.S2;
Sorry for my bad English
Thanks in advanced.
You need to call htmlspecialchars on all data coming from your database before displaying it on your page. Failure to do so not only causes problems such as the one you see, but it is also a big security issue: it allows cross-site scripting (XSS) attacks on your application.
So if you have $phrase coming in from anywhere (not only your database), it's wrong to do this:
echo $phrase;
You have to do this instead:
echo htmlspecialchars($phrase);
You can search SO or Google for "XSS" or "cross site scripting" for more information.
Well of course. I could also be inputting this into your text field:
<script type="text/javascript">
window.location = 'http://mysite.com';
</script>
This would steal all your visitors and send them to my site.
You cannot trust user input. Ever. And you should never trustingly insert user input into other content unsanitized. I hope you're at least aware of SQL injection?
For output into HTML, you can either remove anything that looks like a tag using strip_tags or escape characters that have a special meaning in HTML using htmlentities. Possibly you should use a mix of both.
I'm a total newbie to Facebook programming and would like to know, as a follow-up to this question, whether the following is possible.
I have a collection of events on a web site. I'm fetching them from several RSS feeds, and have total freedom in how to output them - e.g. as single pages, so there is a permalink for every event.
I would like to
Create a Facebook "like" button for each of the events without entering them into the Facebook system in any way
Read back the "like" status of the current user for any one of those events via JavaScript or on server side so I can display these events in a "events I like" list. The important thing is that I need to be able to read the status later = on subsequent page requests, not only in the moment the user clicks the "like" button.
#karim79's answer does answer the first part, but not the second yet.
this page contains all the information I need to create the button: Social plugins > Like button there also is an FBML event to react to when somebody signs up. But that still doesn't enable me to check the "like" status of a returning user.
Is there any way to do that?
A brain-dead way of automatically generating 'like' links for your site (which I recently implemented - so I know works) would be to simply generate the 'href' parameter which (facebook's) like.php reads from the iframe source. Just build the iframe code using their widget thingie and use PHP to dynamificate the href parameter:
<iframe src="http://www.facebook.com/plugins/like.php?href=<?php echo urlencode($url); ?>%2F&layout=button_count&show_faces=false&width=50&action=like&colorscheme=light&height=21" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:75px; height:21px;" allowTransparency="true"></iframe>
You can customise it to a limited extent, just see the attributes list right under the button creation widget.
Using fbml (which I was too lazy to incorporate, and somewhat reluctant due to the fact that I would have had to include yet-another-library):
<fb:like width="200" show_faces="no" href="<?php echo $url; ?>"></fb:like>
There's a neat list of examples here: http://fbrell.com/xfbml/fb:like