For my blog application I want to add a feature for the blog writer to embedd a youtube video directly.
My problem is the following: The input text of course is cleard from all html code by this function:
Code: Select all
function strip($document){
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}I created a bbcode tag [youtube] [/youtube] to embedd the object but it is of course html and gets filtered.
My thought now was to get each occurence of the youtube code and save it with preg_match_all() and replace it with a placeholder like 'youtubevideo_1', 'youtubevideo_2' etc.
Call the html strip function and rewrite the placeholders with the original code.
However I am still not sure if this is the best solution or if malicious code could be hidden in that youtube object.
Does anyone have a better solution or has a funktion to snaitize a yout tube embedded object?