Php – How to Safely Accept Pasted Code in PHP

embedPHPvalidation

I want to allow users to paste <embed> and <object> HTML fragments (video players) via an HTML form. The server-side code is PHP. How can I protect against malicious pasted code, JavaScript, etc? I could parse the pasted code, but I'm not sure I could account for all variations. Is there a better way?

Best Answer

I'm not really sure what parameters EMBED and OBJECT take as I've never really dealt with putting media on a page (which is actually kind of shocking to think about) but I would take a BB Code approach to it and do something like [embed url="http://www.whatever.com/myvideo.whatever" ...] and then you can parse out the URL and anything else, make sure they are legit and make your own <EMBED> tag.

edit: Alright, something like this should be fine:

$youtube = '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1"></param> </param><embed src="http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed></object>';

$blip = '<embed src="http://blip.tv/play/AZ_iEoaIfA" type="application/x-shockwave-flash" width="640" height="510" allowscriptaccess="always" allowfullscreen="true"></embed>';

preg_match_all("/([A-Za-z]*)\=\"(.+?)\"/", $youtube, $matches1);
preg_match_all("/([A-Za-z]*)\=\"(.+?)\"/", $blip, $matches2);
print '<pre>' . print_r($matches1, true). '</pre>';
print '<pre>' . print_r($matches2, true). '</pre>';

This will output:

Array
(
[0] => Array
    (
        [0] => width="425"
        [1] => height="344"
        [2] => name="movie"
        [3] => value="http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1"
        [4] => src="http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1"
        [5] => type="application/x-shockwave-flash"
        [6] => allowfullscreen="true"
        [7] => width="425"
        [8] => height="344"
    )

[1] => Array
    (
        [0] => width
        [1] => height
        [2] => name
        [3] => value
        [4] => src
        [5] => type
        [6] => allowfullscreen
        [7] => width
        [8] => height
    )

[2] => Array
    (
        [0] => 425
        [1] => 344
        [2] => movie
        [3] => http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1
        [4] => http://www.youtube.com/v/Z75QSExE0jU&hl=en&fs=1
        [5] => application/x-shockwave-flash
        [6] => true
        [7] => 425
        [8] => 344
    )
)

Array
(
[0] => Array
    (
        [0] => src="http://blip.tv/play/AZ_iEoaIfA"
        [1] => type="application/x-shockwave-flash"
        [2] => width="640"
        [3] => height="510"
        [4] => allowscriptaccess="always"
        [5] => allowfullscreen="true"
    )

[1] => Array
    (
        [0] => src
        [1] => type
        [2] => width
        [3] => height
        [4] => allowscriptaccess
        [5] => allowfullscreen
    )

[2] => Array
    (
        [0] => http://blip.tv/play/AZ_iEoaIfA
        [1] => application/x-shockwave-flash
        [2] => 640
        [3] => 510
        [4] => always
        [5] => true
    )
)

From then on it's pretty straight forward. For things like width/height you can verify them with is_numeric and with the rest you can run the values through htmlentities and construct your own <embed> tag from the information. I am pretty certain this would be safe. You can even make the full-fledged <object> one like YouTube (which I assume works in more places) with links from blip.tv, since you would have all the required data.

I am sure you may see some quirks with links from other video-sharing websites but this will hopefully get you started. Good luck.