Page 1 of 1
youtube, google maps (and any other popular ones)
Posted: Thu Jul 24, 2008 3:54 am
by swapace
Hi all,
From what I know, <embed> and <object> tags which are used in embedding youtube video have security vulnerabilities. That's why we usually strips all those tags before displaying it. This is also the same with <iframe> which is used in google maps.
Does anyone have any idea how to approach this problem without opening our website to security threats?
Note: I'm not talking about youtube and google maps specifically, but any embeddable popular objects such as google video, etc.
Thank you.
Re: youtube, google maps (and any other popular ones)
Posted: Thu Jul 24, 2008 8:42 am
by ghurtado
swapace wrote:
Does anyone have any idea how to approach this problem without opening our website to security threats?
Specifically, what is the problem? That you would like to allow the embed / object tag?
Re: youtube, google maps (and any other popular ones)
Posted: Thu Jul 24, 2008 5:59 pm
by swapace
Thanks for your reply, ghurtado.
The problem is, I want to allow embed/object/iframe tags for popular media website like youtube, google video, google map, etc. However, I don't want to allow those tags for other unknown media since they pose some security threats.
Re: youtube, google maps (and any other popular ones)
Posted: Fri Jul 25, 2008 8:13 am
by ghurtado
taking just the example of the object tag for the specific purpose of showing flash content, but the same concept should be applicable to the other tags.
Basically you want to allow:
Code: Select all
<object>
<PARAM NAME=movie VALUE="http://www.youtube.com/myFlashMovie.swf">
</object>
but disallow:
Code: Select all
<object>
<PARAM NAME=movie VALUE="http://www.myhackingsite.com/myFlashMovie.swf">
</object>
In that case, this becomes a good candidate for a regular expression. Apply the regex to the param tag that defines the source of the flash file to extract the URL. Then split off the URL at the domain name. Once you have just a domain name, match it against a list of well known sites (youtube, google, etc...) and if it doesn't match, you should reject the post.
That is the high level of how I would do it, now it is up to you to actually implement it
