I know this isnt exactly PHP, but the question could easily shift to it.
Now how do I circumvent this problem? The methods I have thought of are
1. Disallow every extension accept the video ones I will need. Being that those videos cant contain code like that it will be fine
2. To only have set sites allowed to embed, to have the user give me the URL and using regular expressions I can validate the URL and generate the embed code myself. I don't want to do this method because I hate regular expressions and it would be limited.
Is there a better method that I haven't thought of:? Outside scripts are acceptable as long as they are legal to place in a script I am making for a client like this.
Usually with this type of situation, I hear people setting the upload site to a full different URL, and then including that url in an iframe on the main site.