youtube, google maps (and any other popular ones)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
swapace
Forum Newbie
Posts: 2
Joined: Thu Jul 24, 2008 3:53 am

youtube, google maps (and any other popular ones)

Post by swapace »

Hi all,

From what I know, <embed> and <object> tags which are used in embedding youtube video have security vulnerabilities. That's why we usually strips all those tags before displaying it. This is also the same with <iframe> which is used in google maps.

Does anyone have any idea how to approach this problem without opening our website to security threats?

Note: I'm not talking about youtube and google maps specifically, but any embeddable popular objects such as google video, etc.

Thank you.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: youtube, google maps (and any other popular ones)

Post by ghurtado »

swapace wrote: Does anyone have any idea how to approach this problem without opening our website to security threats?
Specifically, what is the problem? That you would like to allow the embed / object tag?
swapace
Forum Newbie
Posts: 2
Joined: Thu Jul 24, 2008 3:53 am

Re: youtube, google maps (and any other popular ones)

Post by swapace »

Thanks for your reply, ghurtado.

The problem is, I want to allow embed/object/iframe tags for popular media website like youtube, google video, google map, etc. However, I don't want to allow those tags for other unknown media since they pose some security threats.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: youtube, google maps (and any other popular ones)

Post by ghurtado »

taking just the example of the object tag for the specific purpose of showing flash content, but the same concept should be applicable to the other tags.

Basically you want to allow:

Code: Select all

 
<object>
<PARAM NAME=movie VALUE="http://www.youtube.com/myFlashMovie.swf">
</object>
 
but disallow:

Code: Select all

 
<object>
<PARAM NAME=movie VALUE="http://www.myhackingsite.com/myFlashMovie.swf">
</object>
 
In that case, this becomes a good candidate for a regular expression. Apply the regex to the param tag that defines the source of the flash file to extract the URL. Then split off the URL at the domain name. Once you have just a domain name, match it against a list of well known sites (youtube, google, etc...) and if it doesn't match, you should reject the post.

That is the high level of how I would do it, now it is up to you to actually implement it :)
Post Reply