PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Sep 19, 2019 12:40 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Tue Dec 04, 2012 12:04 pm 
Offline
Forum Contributor

Joined: Fri Jul 11, 2008 5:49 pm
Posts: 178
In a custom CMS I wrote, all tags the site updaters enter in textareas and text fields are stripped out except formatting tags. This makes it impossibe, for instance, to embed javascript, but when the user wants to embed a video (such as from Youtube) the iframe or object tag must be allowed, which concerns me.

I'm trying to figure out if there is a secure way to allow embedded media, and I'm not completely clear regarding how vulnerable it is to allow iframes and/or <object>

Thoughts appreciated.


Top
 Profile  
 
PostPosted: Tue Dec 04, 2012 1:46 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
If you don't trust the user to input HTML then do not allow any HTML. That's why things like BBCode exist: to give the user a markup that won't automatically be parsed by a browser.

Let them enter something like "[video]http://www.youtube.com/blah[/video]", then convert that to the appropriate HTML tag(s).


Top
 Profile  
 
PostPosted: Tue Dec 04, 2012 2:07 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
PostPosted: Tue Dec 04, 2012 4:19 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US

_________________
(#10850)


Top
 Profile  
 
PostPosted: Tue Dec 04, 2012 4:39 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
oops! :)


Top
 Profile  
 
PostPosted: Wed Dec 05, 2012 2:40 am 
Offline
Forum Contributor

Joined: Fri Jul 11, 2008 5:49 pm
Posts: 178
Thanks for the thoughts. I think I need to state my question differently. Youtube uses either iframe or <object> for embedded video. I need to understand if these methods are security risks, and if so, how to manage them, or if I should simply block them.

My users manage their CMS content in a password-protected environment (2-way encryption) and the users would not intentionally add malicious content, but because my system cannot perform sanitation/validation on the embedded code between iframe or object tags, they both seem like weak links in my site security. I prefer that video be hosting at youtube rather than on my VPS.


Top
 Profile  
 
PostPosted: Wed Dec 05, 2012 3:24 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Wed Dec 05, 2012 10:42 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group