I am developing a web application with backend administration panel that allows users to insert video embedding code. This code will render the video on the corresponding page as i am echoing that code at that location.
The problem is that, when i echo the code, the code itself gets displayed instead of video being shown. Where i am going wrong?
Here is the code entered by user in the textarea in admin panel:
<pre>
<object id="vp110mFH" width="432" height="240" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"><param name="movie" value="http://static.animoto.com/swf/w.swf?w=swf/vp1&e=1340255540&f=10mFH15tm8Wyv1UT85DhEA&d=72&m=p&r=360p&volume=100&start_res=360p&i=m&ct=Click...To%20request%20more%20Info..&cu=http://schoolanduniversity.com/study_programs/more-information.php&options="></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed id="vp110mFH" src="http://static.animoto.com/swf/w.swf?w=swf/vp1&e=1340255540&f=10mFH15tm8Wyv1UT85DhEA&d=72&m=p&r=360p&volume=100&start_res=360p&i=m&ct=Click...To%20request%20more%20Info..&cu=http://schoolanduniversity.com/study_programs/more-information.php&options=" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="432" height="240"></embed></object>
</pre>
Please guide.
Regards,
Mrinal Purohit
It seems like you are displaying the html entities for your embed code, you could try using html_entity_decode() to get around this. Of course a better solution would be to store the embed code in the correct format, ie not encoded as entities.
Related
I'm trying to build a php video embedding function that parses the video URL automatically and then produces the right embed code out of that. I'm having trouble with the new blip.tv player because there is no reference the the video in the url that makes sense in the embed code. Here goes an example:
URL: http://blip.tv/NovusSwell/s3w31-hawaii-surfer-groms-with-potato-cannon-spud-gun-5471671
Embed Code:
<embed src="http://blip.tv/play/g8hQgs38GwI" type="application/x-shockwave-flash" width="550" height="327" wmode="transparent" allowscriptaccess="always" allowfullscreen="true" ></embed>
g8hQgs38GwI is the video Id that I cannot guess out of the URL.
Is there a solution to this?
According to Blip.tv Wiki here's what you need to do:
Get the RSS version of the item: http://blip.tv/rss/view/5471671 (Get id from the URL).
Parse what you got at step 1 (RSS is basically an XML file): Using XPath, the copy/paste code is found at /rss/channel/item/media:player
hopefully this is a simple question. I have a simple custom forum on my site written in PHP. For security reasons I don't allow any HTML in the forum posts. I only allow certain BBCode tags. I would however like to allow embedded YouTube videos.
So my question is this: What's the best (most secure) way to validate the YouTube embed code? YouTube is currently using iframes to embed videos, but obviously I can't just allow the iframe tag. I also need to ensure the src of the iframe is a YouTube URL, and ensure there's no other malicious bits of code in the iframe code.
You should allow users to use something like this:
[youtube]http://www.youtube.com/watch?v=te-TiL9YVaE[/youtube]
And then turn it to embed code using PHP when displaying a message:
function bb_youtube($post) {
return preg_replace(
"#\[youtube].*?v=([^&]+).*?\[/youtube\]#im",
'<object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/$1?fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/$1?fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object>',
$post
);
}
The safest way is to create a [youtube] tag. http://www.youtube.com/watch?v=PVHzXnS5Gms could become [youtube v='PVHzXnS5Gms'][/youtube] (or your syntax of choice).
To convert this into a YouTube embed code, take <object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/VIDEO_ID?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/VIDEO_ID?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object> and replace VIDEO_ID with the identifier.
I have a site based on php/mySQL where publishers had inserted a lot of youtube videos in a specific database column copiyng/pasting youtube embed codes. There is a wide variance of the codes reflecting the variations google made during time. Different sizes of the player window is the main variation. Now I need to uniform all the windows, but I don't know where to start. What I need to reach is something like a regexp to eliminate all the not necessary code from the various entries (i.e. convert all embed codes in their corresponding youtube url?) and then create a script to generate the player code runtime...
Some help to look where to start?
Thank you!
New Complete Solution:
<?php
//your bad code which you want to sanitize
$BadCode = '<object width="640" height="385">
<param name="movie" value="http://www.youtube.com/v/TvJsRX9SKUo?fs=1&hl=it_IT"></param>
<param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/TvJsRX9SKUo?fs=1&hl=it_IT" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed>
</object>';
//Get Youtube Video ID
preg_match('#(?<=youtube\.com/v/)\w+#', $BadCode, $matches);
$VideoID = $matches[0];
//New Correct and consistent embed code template. Create whatever consistent template you want. Then all your videos will follow this template. Change the place where video-id appears as [VIDEOID]
$template = '<object type="application/x-shockwave-flash" style="width:450px; height:366px;" data="http://www.youtube.com/v/[VIDEOID]?showsearch=0&fs=1">
<param name="movie" value="http://www.youtube.com/v/[VIDEOID]?showsearch=0&fs=1" /><param name="allowFullScreen" value="true" />
</object>';
//Insert our VideoID into this template.
$GoodCode = str_replace('[VIDEOID]', $VideoID, $template);
//Display code for testing
echo $GoodCode;
//Update your database table (please change variables yourself)
//mysql_query("update tablename set YoutubeCode = '".$GoodCode."' where ID={$ID}");
?>
Old Summarized Answer:
[Regex for extracting video ID]. After getting video ID, you have the video ID. Use this ID to generate a clean consistent code for all your videos. Then, update the database.
I'm going to store the video embed code from youtube since users can upload videos. What should be the data type of the field where I would store the video embed code.
Video embed code like this:
<object width="640" height="385">
<param name="movie" value="http://www.youtube.com/v/M8uPvX2te0I?fs=1&hl=en_US"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/M8uPvX2te0I?fs=1&hl=en_US"
type="application/x-shockwave-flash" allowscriptaccess="always"
allowfullscreen="true" width="640" height="385"></embed>
</object>
How much of that actually varies by video? You could either store the whole snippet as a string, or just store the relevant sections - in particular, the clip ID (M8uPvX2te0I) and possibly the width and height, if that varies. Storing the relevant data instead of the verbatim HTML will make it easier to serve different HTML from your existing data if the "template" changes or if you want to serve different HTML to different clients.
I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.).
Having no experience with allowing users to embed video:
How can I best protect against cross site scripting and/or cross site request forgery attacks specifically for video embedding? What are some of the common pitfalls to watch for?
At a minumum I would think to strip all tags except <object>, <param> and <embed>. But I have a feeling this will not be enough, will it?
edit
Also:
Do you think allowing only known video domainnames in the <embed src= and <param name="movie" value= attributes is enough to prevent rogue flash movies from being embedded in those attributes?
/edit
If it is of importance, the environment will be:
PHP/Zend Framework
MySQL
Bonuspoints:
Is there a common minimum golden rule/code template for video embed codes that are valid across all video sites that I could use to filter the input?
First and most dangerous xss (?) is that flash can read your DOM... Don't embed videos on pages where user can input his/hers login data. Login forms should be separated.
Usually flash embeds uses code that looks similar to:
Youtube:
<object width="425" height="350">
<param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" />
<param name="wmode" value="transparent" />
<embed src="http://www.youtube.com/v/AyPzM5WK8ys"
type="application/x-shockwave-flash"
wmode="transparent" width="425" height="350" />
</object>
Vimeo:
<object width="400" height="225">
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=10239065&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" />
<embed src="http://vimeo.com/moogaloop.swf?clip_id=10239065&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="225"></embed>
</object>
<p>La Fete (HD - 2010) from Malcolm Sutherland on Vimeo.</p>
Metacafe:
<embed src="http://www.metacafe.com/fplayer/4317045/bmx_face_slide.swf" width="400" height="345" wmode="transparent" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" allowFullScreen="true" allowScriptAccess="always" name="Metacafe_4317045"> </embed>
<br><font size = 1>BMX Face Slide - Free videos are just a click away</font>
Best solution for enabling embeded content is to strip tags with exception for embed, param, object and list of attributes from the the samples that can be used.
Remember, some attributes can run javascript code as well as anchor's href...
Edit:
Allowing only trusted sites in src and param's value attribute is kinda good way to prevent hAx0rs from doing bad things but it's not flawles. Another big thing: read more about allowScriptAccess. Its a Param's attribute you should remove or set to sameDomain / never. It will prevent SWF from running javascript :)
Why don't you just visit all the sites, save their embed code, and then only allow your users to submit the required site's parameters?