Allow users to safely embed

cadkins23

I did a search for this and didn't turn up anything really relevant.

My social networking site was once open to many kinds of attacks. One programmer that helped me right after a redirection attack restricted embed from being entered in the users profile fields.

The problem is that users are used to myspace where people can embed a video, etc. Daily I'll have requests asking why they can't save video code from another site.

Is there any way to allow users to embed in their profiles without opening up a can of worms? One of my primary concerns, besides a direct attack, would be for a user to somehow steal cookies from visitors to their profile.

etully

The general rule of security is to make a list of what you want to allow in instead of trying to make a list of what you want to keep out.

So let's say that you wish to permit a video. The embed might look like this:

<object width="425" height="350">
<param name="movie" value="http://www.youtube.com/v/gt8KpcXj4bg">
</param><param name="wmode" value="transparent"></param>
<embed src="http://www.youtube.com/v/gt8KpcXj4bg" 
type="application/x-shockwave-flash" wmode="transparent" width="425" 
height="350"></embed></object>

The hard way to solve this problem is to let users enter that code and you parse through it to make sure that it precisely matches the format of something that you want to allow in. That is, that you can confirm that it's indeed a video.

The easy way to solve this problem is to build a mechanism for students to indicate that a given URL should be wrapped in an embed.

Technique #1 for indicating that a URL should be wrapped in an embed: Make a field called URL. Put some text next to it that says, "If you want a video embedded in your blog, enter the URL here." That way, you just need to check to make sure that the URL is really in the form of a video.

Technique #2 for indicating that a URL should be wrapped in an embed: If the user's text is parsed, you could wrap it in some code that you invent. Maybe something like this:

<<<EMBED>>> http://www.youtube.com/v/gt8KpcXj4bg <<< / EMBED >>>

Again, now that you know what URL they want to embed, you can verify that it matches the pattern of something that you want to permit. Then you can inject the URL into an embed tag on the user's behalf so that you know it's safe.

jasondavis

myspace uses some method to allow embeded flash or anything but with flash player v9 it won't allow redirects on myspace