Home/ Questions/Q 72489
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T20:03:10+00:00

I want to allow users to paste <embed> and <object> HTML fragments (video players)

  • 0

I want to allow users to paste <embed> and <object> HTML fragments (video players) via an HTML form. The server-side code is PHP. How can I protect against malicious pasted code, JavaScript, etc? I could parse the pasted code, but I’m not sure I could account for all variations. Is there a better way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I’m not really sure what parameters EMBED and OBJECT take as I’ve never really dealt with putting media on a page (which is actually kind of shocking to think about) but I would take a BB Code approach to it and do something like and then you can parse out the URL and anything else, make sure they are legit and make your own <EMBED> tag.

    edit: Alright, something like this should be fine:

    $youtube = '<object width='425' height='344'><param name='movie' value='http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1'></param> </param><embed src='http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1' type='application/x-shockwave-flash' allowfullscreen='true' width='425' height='344'></embed></object>';  $blip = '<embed src='http://blip.tv/play/AZ_iEoaIfA' type='application/x-shockwave-flash' width='640' height='510' allowscriptaccess='always' allowfullscreen='true'></embed>';  preg_match_all('/([A-Za-z]*)\=\'(.+?)\'/', $youtube, $matches1); preg_match_all('/([A-Za-z]*)\=\'(.+?)\'/', $blip, $matches2); print '<pre>' . print_r($matches1, true). '</pre>'; print '<pre>' . print_r($matches2, true). '</pre>';

    This will output:

    Array ( [0] => Array     (         [0] => width='425'         [1] => height='344'         [2] => name='movie'         [3] => value='http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1'         [4] => src='http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1'         [5] => type='application/x-shockwave-flash'         [6] => allowfullscreen='true'         [7] => width='425'         [8] => height='344'     )  [1] => Array     (         [0] => width         [1] => height         [2] => name         [3] => value         [4] => src         [5] => type         [6] => allowfullscreen         [7] => width         [8] => height     )  [2] => Array     (         [0] => 425         [1] => 344         [2] => movie         [3] => http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1         [4] => http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1         [5] => application/x-shockwave-flash         [6] => true         [7] => 425         [8] => 344     ) )  Array ( [0] => Array     (         [0] => src='http://blip.tv/play/AZ_iEoaIfA'         [1] => type='application/x-shockwave-flash'         [2] => width='640'         [3] => height='510'         [4] => allowscriptaccess='always'         [5] => allowfullscreen='true'     )  [1] => Array     (         [0] => src         [1] => type         [2] => width         [3] => height         [4] => allowscriptaccess         [5] => allowfullscreen     )  [2] => Array     (         [0] => http://blip.tv/play/AZ_iEoaIfA         [1] => application/x-shockwave-flash         [2] => 640         [3] => 510         [4] => always         [5] => true     ) )

    From then on it’s pretty straight forward. For things like width/height you can verify them with is_numeric and with the rest you can run the values through htmlentities and construct your own <embed> tag from the information. I am pretty certain this would be safe. You can even make the full-fledged <object> one like YouTube (which I assume works in more places) with links from blip.tv, since you would have all the required data.

    I am sure you may see some quirks with links from other video-sharing websites but this will hopefully get you started. Good luck.

    • 0