| Author |
 Topic  |
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
 Posted - 24 February 2006 : 12:10:22
|
The main problem I have with the Google code is that it is html encoded e.g.
<embed style="width:400px; height:326px;" id="VideoPlayback" align="middle" type="application/x-shockwave-flash" src="http://video.google.com/googleplayer.swf?videoUrl=http%3A%2F%2Fvp.video.google.com%2Fvideodownload%3Fversion%3D0%26secureurl%3DpwAAAC5Q3TqJgtkaUrxYFgQyqSGrLfHDUKDZ798RZfi1QH7rT93axrH2SKNy07NGdy7oM2-27AJ6t_3p79r4lUD_Iv_ChwRx8BULvO1mQ1GpxikFq1beBWSxPtkQ7MS2qykUcmvnH_lMqZ21njcwTZRA_2TB5mthL2HKIRSc75zAEmsGY68LGyAtkkmPVinLCgI95e_eK8M4O4ZapDm03mfWFgnsbatXThANxE0zJcNuAL-L%26sigh%3D7EJ-E9K3BLvF5-iWcSrHpOBP3x4%26begin%3D0%26len%3D127966%26docid%3D6906105323088846127&thumbnailUrl=http%3A%2F%2Fvideo.google.com%2FThumbnailServer%3Fcontentid%3D9d81b82ea215b110%26second%3D5%26itag%3Dw320%26urlcreated%3D1140800616%26sigh%3D-Yodhwv6rzDYf2XerioVJvaCp6M&playerId=6906105323088846127&playerMode=embedded" allowScriptAccess="sameDomain" quality="best" bgcolor="#ffffff" scale="noScale" wmode="window" salign="TL" > </embed>
Won't this be flagged as 'illegal' unless the check is taken out? If the check is taken out a malicious user could post html even if its disabled.< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
 |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 24 February 2006 : 13:48:51
|
quote:
Originally posted by Podge
These are all tags currently supported correct?
[wma][wmv][flash][qt][tube] ?
...
What problems are we likely to have with a [media][/media] tag?
Yep, that's the lot.
I suggest [real][/real] for the realplayer, and I guess that that's about 99,9% of all online media content covered.
I'm not sure which problems you'd have with the media tag, as long as the mime-type of the content is recognizable by means of the URL format.
However, as we want to prevent any cross site scripting, we won't allow any strange characters in that URL. That might be a problem for some media types and hosting environments, but we'll still cover >80% of the users, which is fine to me.
quote:
Originally posted by Podge
The main problem I have with the Google code is that it is html encoded e.g.
<embed style="width:400px; height:326px;" id="VideoPlayback" align="middle" type="application/x-shockwave-flash" src="encoded url" allowScriptAccess="sameDomain" quality="best" bgcolor="#ffffff" scale="noScale" wmode="window" salign="TL" > </embed>
Won't this be flagged as 'illegal' unless the check is taken out? If the check is taken out a malicious user could post html even if its disabled.
Indeed, this will be a possible cross-site-scripting weakness...
The way I circumvented this at oxle, was by using the linkshrinker to store the "http://video.google.com/googleplayer.swf?videoUrl=encodedurl" part in a seperate db (the linkshrinker db), and use the linkshrinker-url as input url for the embedded flash object.
Seems to work, at least on the vid.asp page, but requires some sort of seperate db and forwarder function, if it was to be used outside oxle and without the linkshrinker functionality...  < |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 24 February 2006 13:51:07 |
|
|
|
-gary
Development Team Member
406 Posts |
Posted - 24 February 2006 : 14:02:41
|
| I've seen some large forums stop allowing even image links to sites that use question marks in URLs because of successful XSS attacks.< |
KawiForums.com
 |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 24 February 2006 : 14:52:17
|
If I use a regex to extract the google url to the video, urldecode it then it might pass the check.
This is the regex I'm using (vb). It should only match Google urls so if someone links to a non google url nothing will happen.
Problem arises again if they alter the google url querystring. If it passes the check though it should be ok, correct ?
objRegExpr.Pattern = "(http):\/\/video\.google\.com+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?"< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 24 February 2006 : 20:20:23
|
Small typo in vid.asp
The following is correct
'done with quicktime, now the youTube files
elseif lcase(request.querystring("t"))="y" or lcase(left(FileToShow,26)) = "http://www.youtube.com/?v=" then
if request.querystring("h")<>"" and IsNumeric(request.querystring("h")) = true then
intHeight = request.querystring("h")
else
intHeight = 395
end if
if request.querystring("w")<>"" and IsNumeric(request.querystring("w")) = true then
intWidth = request.querystring("w")
else
intWidth = 480
end if
Response.Write "<font face=""" & strDefaultFontFace & """ size=""" & strFooterFontSize & """><nobr>Please wait while the youTube video loads!</nobr></font></td>" & vbNewLine & _
"</tr><tr>" & vbNewLine & vbNewLine & _
"<td valign=""top"" align=""middle"" bgcolor=""" & strCategoryCellColor & """ colspan=""1"">" & vbNewLine & _
"<script language=""javascript"">EmbedTubeVideo(""" & FileToShow & """," & intWidth & "," & intHeight & ",""false"");</script>"
'done with youTube, now the flash files
I'll post the Google Video code tomorrow. Its nearly finished.< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
Edited by - Podge on 24 February 2006 20:20:50 |
|
|
|
ILLHILL
Junior Member
Netherlands
341 Posts |
Posted - 24 February 2006 : 21:56:48
|
Because people are going to ask for posting icons:
    
I'm not too happy with the youtube icon, but it's a start
Greets, Dominic< |
Edited by - ILLHILL on 24 February 2006 21:58:18 |
|
|
|
Karel Bata
Junior Member
United Kingdom
122 Posts |
Posted - 25 February 2006 : 07:50:00
|
Or buttons?
    
Howsabout this for media? 
or this? 
 < |
 |
Edited by - Karel Bata on 25 February 2006 09:00:02 |
|
|
|
ILLHILL
Junior Member
Netherlands
341 Posts |
Posted - 25 February 2006 : 08:04:29
|
I meant posting buttons indeed, but I read icons and somehow that slipped in. lol
I forgot I have different buttons than the original ones.< |
CLPPR.com - All The News Only Seconds Away |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 25 February 2006 : 10:26:06
|
Podge, I guess that if your regexp checks the consistency of the URL, it would be rather safe.
As long as there aren't any ', " and < or > in it, it would be safe if I'm not mistaking.
About the buttons: nice ones!!! I like the postingbuttons, but we forgot the audio button (the wma code, used for all audio playable with the windows media player)< |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 25 February 2006 10:27:13 |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 25 February 2006 : 10:59:49
|
The regex extracts the url including the querystrings, I then check that string (instead of fString) and its gets passed to the Javascript function if it passes (and it does). At the moment I'm still getting the function right and you will have to test it for me afterwards. I have it working in a post but there is a problem with vid.asp. The Google url is partially url encoded when passed to vid.asp and gets chopped off.
Nice buttons / icons. One thing though. Don't we need two Windows Media icons? One for audio and one for video? A Google Video icon / button would be cool too.< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
ILLHILL
Junior Member
Netherlands
341 Posts |
Posted - 25 February 2006 : 17:36:37
|
Bumped into something.
When you try to edit a topic/reply containing flash, the edit field shows this:
[flash" SRC="LinkToFlashFile.swf" HIDDEN="false" AUTOSTART="true" LOOP="true" volume="100"></EMBED>
< |
CLPPR.com - All The News Only Seconds Away |
|
|
|
Karel Bata
Junior Member
United Kingdom
122 Posts |
Posted - 25 February 2006 : 18:50:33
|
Tough call on the buttons.
There are no specific Yahoo Video, or Windows audio logos (that I know of)
What about these?   The speaker could work for all audio files. This mod would be brilliant for sites dealing with music!
So far...
Quote: When you try to edit a topic/reply containing flash, the edit field shows this:
[flash" SRC="LinkToFlashFile.swf" HIDDEN="false" AUTOSTART="true" LOOP="true" volume="100"></EMBED> ...and that is precisely why I'm going to be looking for someone else to play host to my forum. I wouldn't know where to begin fixing a bug like that.
< |
Edited by - Karel Bata on 26 February 2006 05:30:48 |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
Topic |
|
Using video/flash in topics?
