Page 1 of 1

iframe vs object tag vs ?

Posted: Tue Dec 04, 2012 11:04 am
by rhecker
In a custom CMS I wrote, all tags the site updaters enter in textareas and text fields are stripped out except formatting tags. This makes it impossibe, for instance, to embed javascript, but when the user wants to embed a video (such as from Youtube) the iframe or object tag must be allowed, which concerns me.

I'm trying to figure out if there is a secure way to allow embedded media, and I'm not completely clear regarding how vulnerable it is to allow iframes and/or <object>

Thoughts appreciated.

Re: iframe vs object tag vs ?

Posted: Tue Dec 04, 2012 12:46 pm
by requinix
If you don't trust the user to input HTML then do not allow any HTML. That's why things like BBCode exist: to give the user a markup that won't automatically be parsed by a browser.

Let them enter something like "[video]http://www.youtube.com/blah[/video]", then convert that to the appropriate HTML tag(s).

Re: iframe vs object tag vs ?

Posted: Tue Dec 04, 2012 1:07 pm
by califdon
requinix wrote:Let them enter something like "[video]http://www.youtube.com/blah[/video]", then convert that to the appropriate HTML tag(s).
[video] is now an HTML5 tag. But I do agree with your advice.

Re: iframe vs object tag vs ?

Posted: Tue Dec 04, 2012 3:19 pm
by Christopher
califdon wrote:[video] is now an HTML5 tag. But I do agree with your advice.
I think you mean <video> is a HTML5 tag. requinix showed bbcode square bracket format.

Re: iframe vs object tag vs ?

Posted: Tue Dec 04, 2012 3:39 pm
by califdon
oops! :)

Re: iframe vs object tag vs ?

Posted: Wed Dec 05, 2012 1:40 am
by rhecker
Thanks for the thoughts. I think I need to state my question differently. Youtube uses either iframe or <object> for embedded video. I need to understand if these methods are security risks, and if so, how to manage them, or if I should simply block them.

My users manage their CMS content in a password-protected environment (2-way encryption) and the users would not intentionally add malicious content, but because my system cannot perform sanitation/validation on the embedded code between iframe or object tags, they both seem like weak links in my site security. I prefer that video be hosting at youtube rather than on my VPS.

Re: iframe vs object tag vs ?

Posted: Wed Dec 05, 2012 2:24 am
by social_experiment
rhecker wrote:and the users would not intentionally add malicious content
well...the users may not but what about non-users who can access your system? A user who has family or friends that suddenly accesses their account? Even if you trust your users implicitly you shouldn't trust their input because a logged in user only indicates they know the password / username combination, not that the user has any moral currency.
rhecker wrote:I need to understand if these methods are security risks, and if so, how to manage them, or if I should simply block them.
The tags themselves aren't the issue here but what about attibutes; if you do use the tags make sure the user can't add any attributes, things like onclick, onblur, id, class, title, etc. I think that is a bigger issue.

Re: iframe vs object tag vs ?

Posted: Wed Dec 05, 2012 9:42 am
by Christopher
rhecker wrote:Thanks for the thoughts. I think I need to state my question differently. Youtube uses either iframe or <object> for embedded video. I need to understand if these methods are security risks, and if so, how to manage them, or if I should simply block them.
The safest is where you control the potentially dangerous code and they provide on something that you can easily validate -- such as the ID of the youtube video. So this [video]http://www.youtube.com/blah[/video] is not that safe because they provide the whole URL (which could be to some other site than youtube. Better is to do something like this: [video]blah[/video] where they just give the ID and you generate the code (either object or iframe).
rhecker wrote:My users manage their CMS content in a password-protected environment (2-way encryption) and the users would not intentionally add malicious content, but because my system cannot perform sanitation/validation on the embedded code between iframe or object tags, they both seem like weak links in my site security. I prefer that video be hosting at youtube rather than on my VPS.
Does this run on your servers or theirs?