Security when embedding videos

Village Idiot · 05-12-2008, 03:46 PM

I know this isnt exactly PHP, but the question could easily shift to it.

I have a project coming up where I will have to embed a video in a page. My (potential) client wants it to be any video site, all they have to do is post the HTML code. Now the way I would go about this is to disallow any tag but the embed and related tags that the pages require. However, a user could potentially embed a shockwave file (SWF) which can make calls to javascript and work with the server side files on the server it is on (I know it cant work with the server I am on). The problems with allowing a user to put their own JS in a page are obvious.

Now how do I circumvent this problem? The methods I have thought of are
1. Disallow every extension accept the video ones I will need. Being that those videos cant contain code like that it will be fine

2. To only have set sites allowed to embed, to have the user give me the URL and using regular expressions I can validate the URL and generate the embed code myself. I don't want to do this method because I hate regular expressions and it would be limited.

Is there a better method that I haven't thought of:? Outside scripts are acceptable as long as they are legal to place in a script I am making for a client like this.

drewbee · 05-13-2008, 12:49 AM

Usually with this type of situation, I hear people setting the upload site to a full different URL, and then including that url in an iframe on the main site.

Due to security reasons, the needed javascript code that would run and try to execute would only have access to the url of the upload site, and keep the sensative data on the display site safe and unaccessible.

Village Idiot · 05-13-2008, 01:31 AM

An iframe to the site would not be acceptable. It has to be a video that is embedded.