What XSS/CSRF attacks (if any) to be aware of when allowing video embeds?
- by fireeyedboy
I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.).
Having no experience with allowing users to embed video:
How can I best protect against cross site scripting and/or cross site request forgery attacks specifically for video embedding? What are some of the common pitfalls to watch for?
At a minumum I would think to strip all tags except <object> and <embed>. But I have a feeling this will not be enough, will it?
If it is of importance, the environment will be:
PHP/Zend Framework
MySQL
Bonuspoints:
Is there a common minimum golden rule/code template for video embed codes that are valid across all video sites that I could use to filter the input?