Page 1 of 1

Embedd a YouTube Video [solved]

Posted: Tue May 12, 2009 5:35 am
by AGISB
Hi

For my blog application I want to add a feature for the blog writer to embedd a youtube video directly.

My problem is the following: The input text of course is cleard from all html code by this function:

Code: Select all

function strip($document){
$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript
               '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
               '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
               '@<![\s\S]*?--[ \t\n\r]*>@'        // Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
Now I can read a bit of the regular expressions but I am hardly able to rewrite it.

I created a bbcode tag [youtube] [/youtube] to embedd the object but it is of course html and gets filtered.

My thought now was to get each occurence of the youtube code and save it with preg_match_all() and replace it with a placeholder like 'youtubevideo_1', 'youtubevideo_2' etc.

Call the html strip function and rewrite the placeholders with the original code.

However I am still not sure if this is the best solution or if malicious code could be hidden in that youtube object.

Does anyone have a better solution or has a funktion to snaitize a yout tube embedded object?

Re: Embedd a YouTube Video

Posted: Tue May 12, 2009 5:42 am
by jayshields
If you have some sort of bbcode-style tag for embedding a YouTube video which is something like [youtube=324342343] - where 324342343 is the ID of the video - I can't see how that could ever be used maliciously.

On a side note: I'm not a master of regexp but I think your HTML filtering regexp is flawed. What happens if someone submits

Code: Select all

This is my message. <scr<script></script>ipt>alert();</scr<script></script>ipt> Can you see the alert?

Re: Embedd a YouTube Video

Posted: Wed May 13, 2009 3:47 am
by AGISB
jayshields wrote:If you have some sort of bbcode-style tag for embedding a YouTube video which is something like [youtube=324342343] - where 324342343 is the ID of the video - I can't see how that could ever be used maliciously.

On a side note: I'm not a master of regexp but I think your HTML filtering regexp is flawed. What happens if someone submits

Code: Select all

This is my message. <scr<script></script>ipt>alert();</scr<script></script>ipt> Can you see the alert?

I only see the text -> " alert(); "

No script tags no harm. As preg_replace first removes the <script></script> the remaining text shows the next scripts and those are removed as well. So that works fine for me.

BTW: I solved the problem by accepting the URL instead of the object code. I simply replace all urls with the youtube regex with it after the sanitation call.

Re: Embedd a YouTube Video

Posted: Wed May 13, 2009 5:47 am
by jayshields
AGISB wrote:No script tags no harm. As preg_replace first removes the <script></script> the remaining text shows the next scripts and those are removed as well. So that works fine for me.
I don't understand what you're saying when you say "and those are removed as well" - by what?

Re: Embedd a YouTube Video

Posted: Thu May 14, 2009 9:27 am
by AGISB
jayshields wrote: I don't understand what you're saying when you say "and those are removed as well" - by what?

preg_replace replaces every instance of a regular expression in a string. When the first is removed, there is another (now new one) and it gets replaced. It is similar to a while loop running until the substring is not longer found in string