Hi all,
From what I know, <embed> and <object> tags which are used in embedding youtube video have security vulnerabilities. That's why we usually strips all those tags before displaying it. This is also the same with <iframe> which is used in google maps.
Does anyone have any idea how to approach this problem without opening our website to security threats?
Note: I'm not talking about youtube and google maps specifically, but any embeddable popular objects such as google video, etc.
Thank you.
youtube, google maps (and any other popular ones)
Moderator: General Moderators
Re: youtube, google maps (and any other popular ones)
Specifically, what is the problem? That you would like to allow the embed / object tag?swapace wrote: Does anyone have any idea how to approach this problem without opening our website to security threats?
Re: youtube, google maps (and any other popular ones)
Thanks for your reply, ghurtado.
The problem is, I want to allow embed/object/iframe tags for popular media website like youtube, google video, google map, etc. However, I don't want to allow those tags for other unknown media since they pose some security threats.
The problem is, I want to allow embed/object/iframe tags for popular media website like youtube, google video, google map, etc. However, I don't want to allow those tags for other unknown media since they pose some security threats.
Re: youtube, google maps (and any other popular ones)
taking just the example of the object tag for the specific purpose of showing flash content, but the same concept should be applicable to the other tags.
Basically you want to allow:
but disallow:
In that case, this becomes a good candidate for a regular expression. Apply the regex to the param tag that defines the source of the flash file to extract the URL. Then split off the URL at the domain name. Once you have just a domain name, match it against a list of well known sites (youtube, google, etc...) and if it doesn't match, you should reject the post.
That is the high level of how I would do it, now it is up to you to actually implement it
Basically you want to allow:
Code: Select all
<object>
<PARAM NAME=movie VALUE="http://www.youtube.com/myFlashMovie.swf">
</object>
Code: Select all
<object>
<PARAM NAME=movie VALUE="http://www.myhackingsite.com/myFlashMovie.swf">
</object>
That is the high level of how I would do it, now it is up to you to actually implement it