Hello guys!

I have a small problem. I would like to allow my customers to enter embed code for Youtube so that their videos can be seen on their blogs, but the XSS cleaning replaces the <> with other code (as it should do).

What I am asking is the following:

1. Is there a major security issue if I remove the Embed and Object from the Input Library?
  (Which successfully allows the embed code to be used).

2. Is there another way to allow input of Youtube embed code?

Thankful for all help!

Kind Regards,
Daniel

Hi!

A simple suggestion: if you will embed youtube and only it,
you can get from your customers only the ID of the video
Example: http://www.youtube.com/watch?v=G4FdbNwI17U
and replace it in the html code.

In this example, replace the {%ID_VIDEO%} by G4FdbNwI17U

<object width=“425” height=“344”><param name=“movie” value=“http://www.youtube.com/v/{%ID_VIDEO%}&hl=en&fs=1”></param></param></param><embed src=“http://www.youtube.com/v/{%ID_VIDEO%}&hl=en&fs=1” type=“application/x-shockwave-flash” allowscriptaccess=“always” allowfullscreen=“true” width=“425” height=“344”></embed></object>

Now, if you open the options for others online videos services
(Vimeo, Metacafe, etc) maybe you can display a select combo
to the user choice from what ID is the video and then you choose the
right template of html code to embed.

Hope it’s helpful.

Samir

Hi Samir,

Thanks for the reply!

I would like to offer many different providers, therefore I thought it was easy just
to let them paste the embed code from for example youtube or Vimeo directly, but that is was is causing the problem(?) with security when allowing the tags Embed and Object.

Do you know of any other trick for this where they do not have to choose provide just paste the code?

Thanks!

Put a & in front of the lt and gt (forum hack).