What XSS/CSRF attacks (if any) to be aware of when allowing video embeds?

Posted by fireeyedboy on Stack Overflow See other posts from Stack Overflow or by fireeyedboy
Published on 2010-03-18T17:02:21Z Indexed on 2010/03/18 23:31 UTC
Read the original article Hit count: 275

Filed under:

best-practices

|

embedded-video

|

xss

|

csrf

|

php

I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.).

Having no experience with allowing users to embed video:
How can I best protect against cross site scripting and/or cross site request forgery attacks specifically for video embedding? What are some of the common pitfalls to watch for?

At a minumum I would think to strip all tags except <object> and <embed>. But I have a feeling this will not be enough, will it?

If it is of importance, the environment will be:

PHP/Zend Framework
MySQL

Bonuspoints:
Is there a common minimum golden rule/code template for video embed codes that are valid across all video sites that I could use to filter the input?

© Stack Overflow or respective owner

Related posts about best-practices

Batch Best Practices and Technical Best Practices Updated

as seen on Oracle Blogs - Search for 'Oracle Blogs'
The Batch Best Practices for Oracle Utilities Application Framework based products (Doc Id: 836362.1) and Technical Best Practices for Oracle Utilities Application Framework Based Products (Doc Id: 560367.1) have been updated with updated and new advice for the various versions of the Oracle… >>> More
Partial template specialization of free functions - best practices

as seen on Stack Overflow - Search for 'Stack Overflow'
As most C++ programmers should know, partial template specialization of free functions is disallowed. For example, the following is illegal C++: template <class T, int N> T mul(const T& x) { return x * N; } template <class T> T mul<T, 0>(const T& x) { return T(0); } //… >>> More
Object Oriented PHP Best Practices

as seen on Stack Overflow - Search for 'Stack Overflow'
Say I have a class which represents a person, a variable within that class would be $name. Previously, In my scripts I would create an instance of the object then set the name by just using: $object->name = "x"; However, I was told this was not best practice? That I should have a function set_name()… >>> More
Good place to look for example Database Designs - Best practices

as seen on Stack Overflow - Search for 'Stack Overflow'
I have been given the task to design a database to store a lot of information for our company. Because the task is rather big and contains multiple modules where users should be able to do stuff, I'm worried about designing a good data model for this. I just don't want to end up with a badly designed… >>> More
Notification Email Best Practices--From Server Setup to Programming

as seen on Stack Overflow - Search for 'Stack Overflow'
All, I'm in the process now of building a SaaS tool that allows network admins to generate notification emails to the members of the end-users of our platform (among many many other things). I'm running into a bit of an "out of my expertise" wall, as I know there are a lot of variables involved… >>> More

Related posts about embedded-video

Getting WAP embedded video in android AND iphone?

as seen on Stack Overflow - Search for 'Stack Overflow'
Recently a client asked me to make their site "work on smart phones", which normally wouldn't be too much of an issue... However it's a video site, and I have absolutely no idea where to even begin. Right off the bat I'm not even going to consider allowing the site to even function in anything other… >>> More
how to create a thumbnail image with embedded video code

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi all, How to create a thumbnail image with embedded video code. For example i am having the following embedded code: Now i need to display the thumbnail image of this video and while clicking on that thumbnail image the corresponding video must play. Now, My Prob is "HOW TO CREATE A THUMBNAIL… >>> More
Flash: How to make an embedded video not autoplay

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm embedding a Flash video into an HTML and would like the user to have to click it to begin playing. According to the Adobe <object> / <embed> element documentation, there are variety of methods to do this: 1) Add a Flash parameter inside the <object> tag: <param name="play"… >>> More
Updating Embedded Video in Firefox

as seen on Stack Overflow - Search for 'Stack Overflow'
I am working on a Videos page where my intention is to load a video with the page but by clicking a link, the original video will be updated and replaced with the corresponding video. For instance, if video1 loads with the page and the user clicks to view video2, the original div's innerHTML holding… >>> More
Dynamically change embedded video src in IE/Chrome (works in Firefox)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to dynamically change an embedded video on a page. It's working in Firefox but for some reason it's not working in IE and Chrome (strange combination). Here's the HTML: <object id="viewer" width="575" height="344"> <param name="wmode" value="transparent" /> … >>> More