Welcome Guest, Not a member yet? Register   Sign In
Youtube embed code. Please help!

Hello guys!

I have a small problem. I would like to allow my customers to enter embed code for Youtube so that their videos can be seen on their blogs, but the XSS cleaning replaces the <> with other code (as it should do).

What I am asking is the following:

1. Is there a major security issue if I remove the Embed and Object from the Input Library?
(Which successfully allows the embed code to be used).

2. Is there another way to allow input of Youtube embed code?

Thankful for all help!

Kind Regards,


A simple suggestion: if you will embed youtube and only it,
you can get from your customers only the ID of the video
Example: http://www.youtube.com/watch?v=G4FdbNwI17U
and replace it in the html code.

In this example, replace the {%ID_VIDEO%} by G4FdbNwI17U

&lt;object width="425" height="344"&gt;&lt;param name="movie" value="http://www.youtube.com/v/{%ID_VIDEO%}&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param>&lt;embed src="http://www.youtube.com/v/{%ID_VIDEO%}&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"&gt;&lt;/embed>&lt;/object&gt;

Now, if you open the options for others online videos services
(Vimeo, Metacafe, etc) maybe you can display a select combo
to the user choice from what ID is the video and then you choose the
right template of html code to embed.

Hope it's helpful.


Hi Samir,

Thanks for the reply!

I would like to offer many different providers, therefore I thought it was easy just
to let them paste the embed code from for example youtube or Vimeo directly, but that is was is causing the problem(?) with security when allowing the tags Embed and Object.

Do you know of any other trick for this where they do not have to choose provide just paste the code?


[eluser]Michael Wales[/eluser]
Put a & in front of the lt and gt (forum hack).

echo str_replace(array('lt;', 'gt;'), array('<', '>'), $embed_filed);

Theme © iAndrew 2016 - Forum software by © MyBB