Our software manages libraries, museums, archives etc. We’d like to let the users (namely the catalogers, not the visitors) add some embedded content such as Google maps, YouTube videos etc. We’d like the solution to be as flexible as possible, as each embedded content provider has it’s own format. OTOH, we’d rather not allow the users to enter raw HTML, as this will impose both a XSS security risk and in case of erroneous HTML might screw up our surrounding web page.
I started looking into Google Maps today, and couldn’t find a way to handle it. I don’t want to let the users just copy the embedding HTML snippet into an item; I can’t embed the link URL provided, as Google won’t allow it; and I can’t let the user specify the coordinates, as I don’t want to use the Google Maps JS API (which means providing a built-in solution which we’ll have to maintain).
The question in not specifically about Google Maps, but Google Maps is quite representative. I’d love to hear suggestions for a flexible-yet-secure HTML embedding technique.
Thanks, Eran
Would Caja work for you?